~ Aditya Kamat

BMS College of Engineering

WEB HACKING SERIES PART-4

TOPICS LEARNT TILL NOW :--

• Basics of web and a little about networks.

• HTML injection.

• SQL injection to bypass authentication.

• Buffer overflow attack.

CONT…

• Bypass Authentication Via Authentication Token Manipulation.

• Session hijacking.

• Brute forcing login pages using burp.

• HTTP parameter pollution.

• SQL injection.

WHAT WILL BE COVERED TODAY:-

• Cross Site scripting (XSS)

• Its prevention and the common mistakes made by developers.

BASICS OF JAVA SCRIPT:-

• It is a computer programming language commonly used to create interactive effects within web browsers.

• The main body of the program is usually placed in between “<script>” tags.

• It is used for the front-end, hence the code can be viewed (It can be used as a back-end also).

CONT…

• It is a dynamically typed language i.e the data type of the variables need not be specified in the code.

• Alert() method is used to display a pop up message on the browser.

XSS PREREQUISITES:• The user’s session is stored in the form of one or more cookies

in the browser. This lets the user to user use the account directly without entering the credentials every time.

• The method in which the attacker obtains these cookies and logs in as the user is known as session hijacking.

• Document.cookie() is a method in javascript which is used to print out all the cookies stored by the website.

HERE IS A PEEK OF MY FACEBOOK COOKIES:

WHAT IS XSS?• It is a vulnerability which enables attackers to inject

client-side scripts into web pages viewed by other users.

• They account for roughly 84% of all security vulnerabilities which are reported.

TYPES OF XSS :

• Reflected: The payload is directly echoed back in the response.

• Stored: The payload can be echoed back directly in the response but will more importantly be echoed back in the response when you come back to this page or to another page. The payload is stored in the backend of the application.

• DOM-based: The payload is not echoed back in the page. It gets executed dynamically when the browser renders the page.

POSSIBLE EXPLOITS FOR XSS :• Injecting fake login forms.

• Retrieving legitimate user cookies.

• Injecting browser exploits.

• Getting users to execute an arbitrary piece of code.

EXAMPLE 1:• This is just to get you started with XSS.

• Payload: <script>alert(“xss”)</script>

• This should give a pop up with “xss” on it.

EXAMPLE 2:• There is a bit of filtering with the use of regex present

here.

• We notice that <script> tags have been filtered.

• Payload: <sCRipt>alert(1)</sCRipt>

EXAMPLE 3:• The developer has filtered out the script tags with

different cases too.

• This prevents us from using the previous payload.

• Payload: <scr<script>ipt>alert(1)</scr</script>ipt>

EXAMPLE 4:• In this example, the developer has blacklisted the word

“script”.

• If this word is passed in the input, the execution stops.

• Payload: <img src='zzz' onerror=alert(1) />

EXAMPLE 5:• In this example, alert() has been blocked.

• We can use different methods to bypass this like confirm() and prompt()

• We can also use eval and String.fromCharCode() to bypass it.

• Payload: <script>confirm(1)</script>

EXAMPLE 6: • Viewing the html source, we see that the input is stored

in a javascript variable.

• We have to somehow terminate that statement and try inserting alert()

• Payload: ";alert(1)//

EXAMPLE 7:• Special characters are not allowed because they are

using html encoding.

• This however does not ignore single quote.

• Payload: ';alert(1)//

• Use the ENT_QUOTES flag to encode single quotes also.

EXAMPLE 8:• Here, the value which is echoed is encoded.

• The developer however trusts the path entered by the user by using “PHP_SELF”.

• This lets us enter the payload in the URL directly.

• Payload: /"><script>alert(1)</script>

EXAMPLE 9:• This is a demonstration of DOM based XSS.

• It is a completely static page.

• The javascript code retrieves the portion in the URL after the “#” symbol.

• Payload: <script>alert(1)</script>

PREVENTION:• Take care of the places where the user gets to interact with the

server.

• A lot of prevention techniques are present here: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

REFERENCES:

• Thanks to pentester labs for the ISO and the tutorials.

Link: www.pentesterlab.com/exercises/web_for_pentester

• List of different payloads:http://www.smeegesec.com/2012/06/collection-of-cross-site-scripting-xss.html

THANK YOU!