2146.image_thumb_1F1803BD

 

 

‘XSS’ also known as ‘CSS’ – Cross Site Scripting  is a common vulnerability that can be found in Web Applications. This vulnerability allows the attacker to inject codes into the already existing codes, causing the web server to execute both the default codes and our malicious codes. This method does not require you to know the real IP address of the target website. So because of that a lot of government sites, corporate sites can easily be exploited.

There are quite a number of injection methods but the 3 primary XSS injection methods are known as :
– Persistent XSS
– Non Persistent XSS
– Dom-Based XSS

Persistent XSS: 
Persistent XSS aka Stored XSS is a method where our injected codes get stored in the target server. The server would then run the code each time a user visits the particular injected page. In other words, it is a one time injection that will leave your codes in the web server to execute by itself when a visitor visits the link.

Non Persistent XSS: 
Non Persistent XSS aka Reflected XSS is a method of injecting codes that will be sent to the server via HTTPrequest. The server will then embed the two codes into the html page and return the crafted url to the attackers browser. The attacker can then send the specially crafted link to his target. When the target clicks on the link, the embedded codes will get executed and information is revealed. The information varies based on the type of codes injected. So basically in other words, it does the same thing as persistent xSs but the difference is that it does not store the malicious codes on its server.

Dom-Based XSS
Unlike the Persistent and non persistent method where the payloads are placed in the response page. The Dom-Based XSS aka type-0 XSS is a method where the attackers payload is executed as a result of modifying the DOM “environment” in the victims browser. The victims page will execute differently due to the malicious modifications that have occurred in the DOM environment of their local machine. In simpler terms, unlike the above two attacks where we dont touch the users browser, in dom based xss…it is the users browser that we are trying to modify.
XSS exploitation can be used to deface webpages, cause denial of service attacks, malware attacks, session hijacking (stealing cookies), credit card theft and so much more. Bet that got your attention huh?

Injecting Codes?:
For those who are confused by the term “injecting codes”, let me attempt to explain. A website is usually made out of HTML,JAVA, CGI,PHP etc etc. The web server and your browser is able to digest and translate these codes. The attacker takes advantage of this by injecting/embedding acceptable codes within an already existing code provided by the target website to change its course of execution.

Basic example :
Original link : http://www.example.com/articles/viewarticles.php?workflowcode=
Modified link:
http://www.example.com/articles/viewarticles.php?workflowcode=”><script>alert(“XSS!”);</script>

I merely added a javascript “alert” code into the default url. This would in turn create a pop up box when i refresh the page. Now if this was a non persistent attack, then i would need to provide this link to my victim through social engineering means. If it was a persistent attack, the codes will get stored in the server for it to run on its own.
But of course we wont be sending the url to our victim as plain and naked as the one shown above. We will use an encoding option to encode the language to another acceptable “language” that the computer can understand and translate (Base-64,String.fromCharCode,Hex value etc etc) .
<script>alert(“XSS!”);</script> translated becomes :

Hex Value:
%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%22%4A%61%6D%65%73%20%77%61%73%20
%68%65%72%65%21%22%29%3B%3C%2F%73%63%72%69%70%74%3E
This means i can now use %3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%22%4A%61%6D%65%73%20%77%61
%73%20%68%65%72%65%21%22%29%3B%3C%2F%73%63%72%69%70%74%3E instead of alert(“James was here!”);

Making the new crafted url : 
http://www.example.com/articles/viewarticles.php?workflowcode=%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%22%4A%61%6D%65%73%20%77etcetc

The encoding option is used to prevent doubts caused by the exposed scripts in the victims browser.
So i will stop here for now, in the next tutorial later today i will demonstrate a non persistent attack for a better understanding. We will cover each attack one by one.

source : Security Training Share