xss

xss

By ghost | 4296 Reads |

0     0

===[ How I found out my first-real XSS ]===[ 0x702ch ]==========================

Ok, actually it is not the first-real, but misconfigured guestbooks doesn’t count. When I started here on hbh I was in the process of realising that hacking is not (just) about rooting boxes or manipulating servers. The words exploitation, injection and scripting come to my mind. I googled the term ‘xss’ and found a lot of information on it. (I still have what to learn) http://en.wikipedia/Wiki and http://ha.ckers.org are sites I recommed for you. I first thought that xss is just the toy of the wanna be skiddies, but sonn realized that I was in a deep mistake. I set up a cookie stealer, and experimented with it, then I completed two realistic challenges on hts, one of which contained ‘cookie stealing’. Then one day when I was just bored, tired of school,… I got up on hbh and went to the realistic 8 page. Well it says that I should use a proxy. Nothing interesting …but wait!It says that they log my referrer and it is printed in plain-text to the html source. I changed my referrer with RefControl to: alert(‘xss’); and nothing happened! But I was cool enough to check the source and I noticed that it doesn’t escaped the < and > tags! It only escaped the ‘,“ and / characters! Ok I tried this: a=1337;alert(a); and it worked! I was so happy that I found an xss hole. (or just found that the referrer isn’t filtered for special characters) I wasn’t able to modify the page or add any content to it, but I didn’t give up and checked ha.ckers.org and there I found an interesting function: String.fromCharCode(88,83,83); it expands to “XSS”. The numbers are the ascii values of the characters. Now I can construct strings without ’ or “. But what can I do with this? Well I tried to redirect the page to my cookie stealer! And it worked. To fastly construct any string I wrote a small C program that outputs a string in ascii each character seperated by commas. So I put this string into it:

It expanded to a couple of numbers which I pasted to my referrer:

I refreshed and it took me to my site, I checked the log and yes there were my cookies! You may think that this was useless but let me explain how could I use this!(SE) Say I start a new thread and say that I have found an easter egg in one of hbh’s realistic missions! To view it install RefControl [link here] and paste this code into it: code here It is a series of JS function calls and their arguments and you must use this form because ’ and “ are filtered. After that how many of you was to check the code? And how many was to use it! And what I would have are some nice cookies. But instead of doing this all, I reported the bug/exploit to Mr_Cheese and he quickly fixed it. Later when I asked him about the HoF he said that with this I can’t get into it. (cookie stealing and SE doesn’t count) Okay, said I, no problem I don’t wrote this article to force myself in the HoF, I understand him. This is just part of the story. And this is the big end!