Thursday, April 2, 2015

XSS In Real World - Part 1 (Simple XSS)

XSS in Real World - Part 1 (Simple XSS)

Hi there, in this tutorial series, I will try to explain how to find XSS in real world, using some interesting techniques.

All of you know, that XSS is based on some code injection. It maybe <script> tag injection, or just an ‘-alert()-‘, I will explain about that later.

What do you need to find an XSS? Simply, only browser. But, if you want to make your life easier, and find it much faster, you may use this software:
  1. Firefox Browser
  2. FireBug Add-on
  3. HackBar Add-on
  4. Google.
I wanted to learn some advanced techniques of XSS, and found pretty cool way: http://xssposed.org
There are tons of verified XSS’s published by lot of security researchers, affecting VIP sites also.
VIP website on xssposed.org is Google PR > 6 or Alexa Rate < 50000.
So, I’ve wrote a script that grabbed all xssposed.org XSS urls, and started to filter out not interesting fields.
There were about 7500 urls.

You can download a list from here: https://ghostbin.com/paste/n6vk7/raw and filter out all you don’t need.


Real XSS (HTML Injection) Demo.

I will take a real examples of XSSs from xssposed.org that were not patched a very, very long time.

Our first target will be www.tcdb.org, XSS report dated 14/06/2008.
From that date, same XSS was reported more 3 times.




Take a look at the “search” field. Let’s enter inside some RANDOMSTRING inside <xxx> tag. Purpose of this test is to test, if there is some user input sanitation:

<xxx>RANDOMSTRING<xxx>


 As output, we see our “RANDOMSTRING” without <xxx> tags.


Let’s take a look at the source:                        // CTRL+U in Firefox and Chrome




As you can see, there is no filtration, and our <xxx> tag passed to browser as HTML.
Purple color means that the <xxx> interpreted as tag.

Finally, we enter:
<script>alert(document.domain)</script>





One thing you should notice: there is no GET parameters in URL. In this example the POST was used.
Open Hack-Bar add-on in Firefox, and after you come to search results, press Load URL and press on checkbox: Enable Post data



Some server-side scripts, handle GET and POST requests the same way.

Let’s check it:
http://www.tcdb.org/search/index.php?query=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E



In next part will discuss about WAF Filter Evasions.

Like & Share :)

Alexander Korznikov.

2 comments: