I hope you have already heard about Cross Site Scripting known as XSS. Just go through this first en.wikipedia.org/wiki/Cross-site_scripting . I have focussed on finding  an XSS hole and bypssing a filter.
XSS is a web application vulnerability  that occurs due to improper or no filteration of user's input . It enables the malicious attackers to inject client-side script into web pages. This is not something with which you are gonna deface a website or break in admin panel. This bug can be dangerous for users if found on any online forms . Basically you can do mainly two things that are stealing user sessions and injecting iframes. Actually this bug is basically exploited to harm the visitors rather than administrators.Okay Lets learn the approach to find XSS bugs.

You might have tried finding an XSS hole by inserting a script like this <script>alert('XSS')</script> in Search fields and hoping for a box to popup saying XSS. But its not always the way to find a XSS bug.

This example will make you everything clear.

Okay,  go to this URL
http://www.chitkara.edu.in/chitkara/esl.php?page=overview.php&sitetitle=Overview

Lets Replace 'Overview' with any keyword . Say 'test' and hit enter

http://www.chitkara.edu.in/chitkara/esl.php?page=overview.php&sitetitle=test

Now check the source code of page and search for keyword 'test' by using Ctrl+F and we can find that in the code.

 Carefully, see where it got inserted in the source code
                    

<title>Chitkara Educational Trust > test</title>

Now lets replace the 'test' with  </title><h1>XSS</h1> and see what happens

Note- <h1> It is the html heading tag </h1>


http://www.chitkara.edu.in/chitkara/esl.php?page=overview.php&sitetitle=</title><h1>XSS</h1>
We can see the keyword 'XSS' displayed on the webpage.



Lets again see the page source



We entered </title> to complete the title  tag ( <title>) and <h1>XSS</h1> is the actually html tag we wanted to see on the page.

 I hope it was a simple part and is clear to you.

Now Lets try to execute a javascript code <script>alert('XSS')</script>. A popup message box saying XSS should appear on the webpage.
Lets go to this URL

http://www.chitkara.edu.in/chitkara/esl.php?page=overview.php&sitetitle=</title><script>alert('XSS')</script>

But Nothing Happens !!!

Now check the source code again



See the slashes ( \ ) automatically inserted before the single quotes ( ' ) ,we entered.  Obviously,due to this our code didn't execute.This is a kind of filter that we need to bypass .


Here we will be using a javascript built in function called String.FromCharCode() that is used to encode/decode strings. Now both these codes
<script>alert('XSS')</script> and <script>alert(String.fromCharCode(88, 83, 83))</script>
has the same function but we can see that THERE ARE NO QUOTES IN SECOND CODE.

Note: 88 and 83 are ASCII values for X and S respectively.  Visit this http://www.asciitable.com for more.

Finally, try this

http://www.chitkara.edu.in/chitkara/esl.php?page=overview.php&sitetitle=</title><script>alert(String.fromCharCode(88, 83, 83))</script>


Yes, it worked.

So finally we have managed to execute a javascript :)

10 comments:

Post a Comment
  1. Are there any more techniques to bypass filters??
    and is it IMPOSSIBLE to get ta admin access to the website vulnerable to xss.??
    if NO..plz explain:)
    thank u:)

  2. noohhh its possible to get admin access to a XSS vulunerable Website.....
    bty who way gud TUT anish....

    keep it up

  3. Good one usually people think XSS is not that much dangerous but it is as dangerous as SQLi , we can steal cookies with XSS.

  4. HI,

    Thanks for this wonderful explanation.. I really though only a pop-up box prove that a site is vulnerable..

    Before - my scanner says its XSS but when I tried the parameter there is no pop-up box so I said to my boss that its a false positive

    But after reading this, indeed, its was vulnerable to XSS because after I inserted the parameter in the URL, the word XSS did not pop-up but displayed on the page. Another page did not give a pop-up and did not display a XSS in the page, but when I check the source code of the page, the code was inserted...meaning the 2 pages are vulnerable to XSS.

    Please correct me if im mistaken.

    This is indeed a simple and a clear explanation to XSS

  5. ur boss is underground don?.. just asking! :P

  6. the website http://www.chitkara.edu.in/chitkara/esl.php?page=overview.php&sitetitle=Overview cannot open anymore?

  7. In this exemple its only local non permanent xss ... the scipt is excuted on the client side not on the server side so you can not use it to deface or modify permantly the php page.

  8. Hi aneesh
    I have doubt ..i tried injecting the code in a form field which has the xss vulnerability. but when i look in to the source code the input is sanitized with &lt and &gt sign etc. but the script is shown as it is in the "if statement".
    so the doubt is how can i get the proof of concept and is this really a Xss vulnerability or just another false positive..
    Your advice is very valueable..

  9. I have replaced "Overview" by "test".....But I cant find test in the source page.....
    Help would be greatly appreciated.....

  10. 1. this script you cant copy or hack acount :))
    2. http://www.aidraci.ro/
    3. if you cant i want this script i m pay with paypal

Post a Comment