Cross Site Scripting- executing client side scripts
I hope you have already heard about Cross Site Scripting known as XSS. Just go through this first en.wikipedia.org/wiki/Cross-site_scripting . I have focussed on finding an XSS hole and bypssing a filter.
XSS is a web application vulnerability that occurs due to improper or no filteration of user's input . It enables the malicious attackers to inject client-side script into web pages. This is not something with which you are gonna deface a website or break in admin panel. This bug can be dangerous for users if found on any online forms . Basically you can do mainly two things that are stealing user sessions and injecting iframes. Actually this bug is basically exploited to harm the visitors rather than administrators.Okay Lets learn the approach to find XSS bugs.
You might have tried finding an XSS hole by inserting a script like this <script>alert('XSS')</script> in Search fields and hoping for a box to popup saying XSS. But its not always the way to find a XSS bug.
This example will make you everything clear.
Okay, go to this URL
http://www.chitkara.edu.in/chitkara/esl.php?page=overview.php&sitetitle=Overview
Lets Replace 'Overview' with any keyword . Say 'test' and hit enter
http://www.chitkara.edu.in/chitkara/esl.php?page=overview.php&sitetitle=test
Now check the source code of page and search for keyword 'test' by using Ctrl+F and we can find that in the code.
Carefully, see where it got inserted in the source code
<title>Chitkara Educational Trust > test</title>
Now lets replace the 'test' with </title><h1>XSS</h1> and see what happens
Note- <h1> It is the html heading tag </h1>
http://www.chitkara.edu.in/chitkara/esl.php?page=overview.php&sitetitle=</title><h1>XSS</h1>
We can see the keyword 'XSS' displayed on the webpage.
Lets again see the page source
We entered </title> to complete the title tag ( <title>) and <h1>XSS</h1> is the actually html tag we wanted to see on the page.
I hope it was a simple part and is clear to you.
Now Lets try to execute a javascript code <script>alert('XSS')</script>. A popup message box saying XSS should appear on the webpage.
Lets go to this URL
http://www.chitkara.edu.in/chitkara/esl.php?page=overview.php&sitetitle=</title><script>alert('XSS')</script>
But Nothing Happens !!!
Now check the source code again
See the slashes ( \ ) automatically inserted before the single quotes ( ' ) ,we entered. Obviously,due to this our code didn't execute.This is a kind of filter that we need to bypass .
Here we will be using a javascript built in function called String.FromCharCode() that is used to encode/decode strings. Now both these codes
<script>alert('XSS')</script> and <script>alert(String.fromCharCode(88, 83, 83))</script>
has the same function but we can see that THERE ARE NO QUOTES IN SECOND CODE.
Note: 88 and 83 are ASCII values for X and S respectively. Visit this http://www.asciitable.com for more.
Finally, try this
http://www.chitkara.edu.in/chitkara/esl.php?page=overview.php&sitetitle=</title><script>alert(String.fromCharCode(88, 83, 83))</script>
Yes, it worked.
So finally we have managed to execute a javascript :)
No comments:
Post a Comment