XSS That some people forget about
XSS That some people forget about
ghost | 5755 Reads | Ok, if you don’t already know what XSS is, then google it and learn the basics, because I am not going to reinvent the wheel, because that would be just another article repeated in HBH’s archives.
So first off lets say we are working with a search page on a website. Most commonly you would try asdf to see if it allowed tags. Now more and more websites are catching up on the XSS exploit, and are stripping tags in their search pages and other input forms. However there is ways and things that the programmer of the site may have forgotten about. The majority of explotis in big websites that think they have their security good, will be in the minor little things that they forget about.
So now that you have tried the old normal html tags in the search, and your attempt fails, think for a second. Is there other search options, that don’t exactly give you your very own text input normally like a select box? Well you could always use some Javascript to edit that value to make it close the option in the html and therefore breaking you out of the select box and allowing you to enter html.
Here is an example of above before a user edits it with javascript.
Now after the user injects the form with “>redinsert html tags here:
Now another way you can do the samething as above but a little different is if the search text box keeps your search keywords in the box after clicking search then you have another chance to input html. Look the source and see how many quotes they use for the value of the textbox and then enter that and the closing bracket and voila! Once again you have html input.
So here is the example of the source before the input:
And after injecting in the text box with asdf“>insert html tags here
insert html tags here
In conclusion, you want to look for things that the programmer may have forgotten to secure such as a username availability page or what not.
This article is for educational purposes only. HBH and the author are not responsible for any actions learned through this article.
- Chislam
Uber0n 18 years ago
This was a nice article ^^ specially liked the textbox thing (never thought of that one before) ;) Thanks!
ghost 18 years ago
well as in people forgetting i mean the people who coded the site and they forget about the little things that can actually hurt them.
ghost 18 years ago
Well the most common way to use them is with picture and event attach to it … [ img ]' onmousemove='window.history.go(-1)[ /img ]. This let you run javascript code easily and is harder to detect because you're not using any html tag. Also if you can add html tag like this its probably because you could already add them without any bbcode tag or something else.
ghost 18 years ago
well this article is stuff more related to breaking out of text boxes and what not.
ghost 17 years ago
I dont really understand this example, the injection is made from the query string no? I don't see how the form is being changed…
Also Arto, the trouble with that is most forum software uses htmlentities and double quotes on the html attributes so you cant break out of an img tag attribute because if you use a " its replaced with the html quote entity. I'd really like to see some up to date attack methods