Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

constructing an XSS Worm


constructing an XSS Worm

By ghostghost | 9344 Reads |
0     0

if you find the formatting of this article to be off or hard to read on HBH (as I do, sensitive eyes. HBH's repository is great, but you can only do so much to make a text file pretty without allowing it the be a text file in full), please wget picobsd.amdwebhost.com/~cfc/xss.txt

Before anyone flames me, the code in this article is purposefully flawed. It will not work. A programmer should be able to get it to work in a matter of minutes. I removed some code and modified other stuff so that skiddies don't pick it up. This article is meant for understanding, not as a contribution of code.

A while back, I was poking around a web 2.0 site. I noticed something rather interesting: every single prefernce for users had it's own file. This was probably done because the site, which was AJAX based, modified user information via AJAX, and therefore often times there was only one value being edited at a time. I started poking around these, and I found out early on that all data sanitation was done with Javascript. I'm assuming this is because the developer was more comfortable with javascript, and didn't use PHP for anything except what he had to (editing database fields, etc.) Because filtering was done via javascript, I figured it wasn't done on the PHP side (I was correct), so if I could access the file directly, I was in buisness.

It worked. site.com/users_neighborhood.php was accessable, and when I edited my neighborhood, I was able to insert a cookie stealer. The cookie stealer employed my favorite concept, albeit not always possible: the image. Which brings me to my first segment of code, the cookie stealer itself:

This code simply created a PNG image and set the file's output content-type to PNG.

And the Javascript looked like this:

So, easy part down. Next is the propagation technique. I had a PHP program, and it contains a variable with the entire cookie in it. So the obvious thing to do at this point was to use sockets to connect to our target site's users_neighborhood.php page with the hijacked cookie. I did this by opening a socket and passing data to it. Here's the code:

This section of code just set up all the variables used later.

This section is a function which allows us to create a valid HTTP/1.1 packet with POST data and cookie data in it.

this section created our network connection to the site

This section of code wrote the HTTP packet to the site

What we have done is used the XSS exploit in the site steal to cookie. Our cookie stealer script not only logs cookies, but it is also used to authenticate us as that user and grant us the ability to edit THEIR content, and steal cookies using their page as well.

LEGAL STUFF/DISCLAIMER: THE CODE IN THIS TUTORIAL WAS EDITED TO ENSURE THAT IS DOES NOT WORK PROPERLY. THIS WAS DONE ON PURPOSE TO AVOID THE USE OF THIS CODE FOR ILLEGITIMATE PURPOSES. THE CODE IS FOR POC PURPOSES ONLY, MEANT OT DEMONSTRATE THE EXTENSION OF XSS HOLES. DON'T DO BAD STUFF, CAUSE IT'S NOT ON ME IF YOU DO. THIS WORM WAS CREATED AND TESTED IN A CONTROLLED ENVIRONMENT.

Comments
ghost's avatar
ghost 17 years ago

Nice article. I enjoyed reading that very much.

ghost's avatar
ghost 17 years ago

if most articles on HBH were somewhat like this, I wouldn't be so diarrhetic!

ghost's avatar
ghost 17 years ago

great job, dude.

ghost's avatar
ghost 17 years ago

nice article. read quite a bit on xss worms, your article makes an interesting read :) rated awesome

ghost's avatar
ghost 17 years ago

beautiful

What_A_Legend's avatar
What_A_Legend 17 years ago

this is great article we need more like this on HBH :)

SySTeM's avatar
SySTeM 17 years ago

Nice work man, we need more articles like this on the site!

korg's avatar
korg 17 years ago

Agree I actually liked it. (Don't think I've said that in a while) Nice job!

ghost's avatar
ghost 17 years ago

Nice one :P, Can't wait til i understand it all :D