How to hack websites and damage to a web application using Cross-Site Scripting (XSS) vulnerabilities: Its Add-ons for Firefox

Version 0.4.3

Works with Firefox: 2.0.0.8 – 3.6a1pre

Updated May 25, 2009

Developer Security Compass

Rating Rated 5 out of 5 stars

Cross-Site Scripting (XSS) is a common flaw found in todays web applications. XSS flaws can cause serious damage to a web application. Detecting XSS vulnerabilities early in the development process will help protect a web application from unnecessary flaws. XSS-Me is the Exploit-Me tool used to test for reflected XSS vulnerabilities.

XSS-Me is the Exploit-Me tool used to test for reflected Cross-Site Scripting (XSS). It does NOT currently test for stored XSS.rnrnThe tool works by submitting your HTML forms and substituting the form value with strings that are representative of an XSS attack.rnrnIf the resulting HTML page sets a specific JavaScript value (document.vulnerable=true) then the tool marks the page as vulnerable to the given XSS string.rnrnThe tool does not attempting to compromise the security of the given system. It looks for possible entry points for an attack against the system. There is no port scanning, packet sniffing, password hacking or firewall attacks done by the tool.rnrnYou can think of the work done by the tool as the same as the QA testers for the site manually entering all of these strings into the form fields.

DOWNLOAD HERE

What is Cross Side Scripting (XSS)?

 

A Web application vulnerable to XSS allows a user to inadvertently send malicious data to self through that application.

Attackers often perform XSS exploitation by crafting malicious URLs and tricking users into clicking on them.

These links cause client side scripting languages )VBScript, JavaScript etc,) of the attacker s choice to execute on the victim's browser.

XSS vulnerabilities are caused by a failure in the web application to properly validate user input.

The simplest description of cross-site scripting can be put as the attack that occurs when a user enters malicious data in a Web site. It can be as simple as posting a message that contains malicious code to a newsgroup. When another person views this message, the browser will interpret the code and execute it, often giving the attacker control of the system. Malicious scripts can also be executed automatically based on certain events, such as when a picture loads. Unlike most security vulnerabilities, CSS doesn't apply to any single vendor's products - instead, it can affect any software that runs on a web server

CSS takes place as a result of the failure of the web based application to validate user supplied input, before returning it to the client system. "Cross-Site" refers to the security restrictions that the client browser usually places on data (i.e. cookies, dynamic content attributes, etc.) associated with a web site. By causing the victim's browser to execute malicious code with the same permissions as the domain of the web application, an attacker can bypass the traditional document object model (DOM) security restrictions. The document object model is accessible application interface that allows client-side languages to dynamically access and modify the content, structure and style of a web page.

Cross-Site Scripting (CSS) attacks require the execution of Client-Side Languages (JavaScript, Java, VBScript, ActiveX, Flash, etc.) within a user's web environment. Cross Site Scripting can result in an attacker stealing cookies, hijacking sessions, changing of web application account settings etc. The most common web components that are vulnerable to CSS attacks include CGI scripts, search engines, interactive bulletin boards, and custom error pages with poorly written input validation routines. Moreover, a victim does not necessarily have to click on a link to make the attack possible.

XSS Countermeasures

• As a web application user, there are a few ways to protect yourselves from XSS attacks.
• The first and the most effective solution is to disable all scripting language support in your browser and email reader.
• If this is not a feasible option for business reasons, another recommendation is to use reasonable caution while clicking links in anonymous e-mails and dubious web pages.
• Proxy servers can help filter out malicious scripting in HTML.

  Preventing cross-site scripting is a challenging task especially for large distributed web applications. If the application accepts only expected input, then the XSS can be significantly reduced.

  
  
  Web servers should set the character set, and then make sure that the data they insert is free from byte sequences that are special in the specified encoding. This can typically be done by settings in the application server or web server. The server should define the character set in each html page as below.
  Web pages with unspecified character-encoding work mostly because most character sets assign the same characters to byte values below 128. Some 16-bit character-encoding schemes have additional multi-byte representations for special characters such as "<. These should be checked.

CRLF injection attack and HTTP response spliting

 CRLF injection attack and HTTP response spliting

CRLF injection also known as HTTP response spliting is a simple web attack but very powerful. Hackers activily exploit this web application vulnerability to perform a large variety of some serious attacks. This was also founed in Google Adwords some years ago.
The term CRLF refers to Carriage Return (ASCII 13, \r) Line Feed (ASCII 10, \n). They're used to note the termination of a line, however, dealt with differently in today’s popular Operating Systems. For example: in Windows both a CR and LF are required to note the end of a line, whereas in Linux/UNIX a LF is only required. These two represent the END OF LINE for various internet protocols. When programmers write code for web applications they split headers based on where the CRLF is found. If a malicious user is able to inject his own CRLF sequence into an HTTP stream, he is able to maliciously control the way a web application functions.


Example:


suppose you got a link from a malicious user


http://www.yoursite.com/page.php?page=%0d%0aContent-Type: text/html%0d%0aHTTP/1.1 200 OK%0d%0aContent-Type: text/html%0d%0a%0d%0a%3Chtml%3Ethis is the Hacker's Content%3C/html%3E


You will get a page saying 

this is the Hacker's Content


But this page is generated by the server in which hacker has injected HTML code. More sophisticated variations of this example can lead to poisioning of the client's web-cache, cookies, XSS, temporary or permanent defacement of web pages and even information theft.


Preventing CRLF


The best protection is filtering user input
properly sanitize URLs that point to web pages on your site containing any server re-direction code.

Mantra Security Toolkit 0.6.1 Released – Browser Based Hacking Framework

Mantra is a collection of free and open source tools integrated into a web browser, which can become handy for students, penetration testers, web application developers,security professionals etc. It is portable, ready-to-run, compact and follows the true spirit of free and open source software.


The software is lite, flexible, portable and user friendly with a nice graphical user interface. You can carry it in memory cards, flash drives, CD/DVDs, etc. It can be run natively on Linux, Windows and Mac platforms. It can also be installed on to your system within minutes. Mantra is absolutely free of cost and takes no time for you to set up.


Mantra can be very helpful in performing all the five phases of attacks including reconnaissance, scanning and enumeration, gaining access, escalation of privileges, maintaining access, and covering tracks. Apart from that it also contains a set of tools targeted for web developers and code debuggers which makes it handy for both offensive security and defensive security related tasks.


Download Mantra Security Toolkit 0.6.1