xss_sheet, what is xss, cross site scripting, xss attack


XSSattacks are talked about beyond the reflected and persistent types. It is intended to provide a broader vision of the possibilities within these types of attacks as well as the conditions for them to occur. It also explores and the operation of theXSSertool for launching attacks of this type.




Introduction

Cross Site Scripting (XSS)

  • XSS vulnerabilities encompassed any attack that allows executing scripting code in the context of another website. 
  • They can be found in any application whose final objective is to present the information in a web browser.
  • Usually, the input data that is used in some applications is not correctly validated, allowing a malicious script to be sent to the application.
  • To function they need an entry point, which is usually the forms. 
  • Through an XSS attack, you can hijack accounts, change user settings, access restricted parts of the site, modify site content, etc.

Types of XSS attacks

Direct Attacks
  • The direct attack of XSS (also called persistent XSS ), occurs when the attacker manages to embed malicious HTML code, directly on the websites that allow it.
  • It works by locating weaknesses in the programming of HTML filters, if they exist, to publish content.
  • This type of attack is usually the most common, and the code of the attacker is based on HTML tags (of the type or
  • The result shows a window with the text "hello-world".
  • This vulnerability is usually used to steal sessions and phishing.


XSSer DESCRIPTION

It is a framework that allows:
  • Detect vulnerabilities of type XSS
  • Explore these vulnerabilities locally or remotely.
  • Report in real time the vulnerabilities found.
Among its main features include:
  • Graphic interface
  • Dorking
  • Support for GET and POST (this is important since in tools treated in previous articles only injections with GET could be performed).
  • Crawling
  • Proxy
  • Heuristic analysis
  • Preconfigured Exploits
  • Export options
  • Different bypassers to evade filters
Types of injections allowed:
  • Classic XSS (code execution in an embedded script)
  • Cookie Injection
  • Cross Site “Agent” Scripting
  • Cross Site “Refer” Scripting
  • Injections in “Data Control Protocol” and “Document Objetct Model”
  • HTTP Response Splitting Induced


EXAMPLES OF USE

  • Basic injection
xsser -u “victima.com”
  • Automatic injection (test all vectors)
xsser -u “victima.com” --auto
  • Injection with custom payload
xsser -u “victima.com” --payload = ”> 
  • Local Exploitation
xsser -u “victima.com” --Fp = “ 
  • Remote operation
xsser -u “victima.com” --Fr = ” 
  • Dorking use
xsser -d “inurl: admin / echo” --De “google” --Fp = ” 
  • Use of HTTP Refer proxy and header spoofin
xsser -u “victima.com” --proxy http: // localhost: 8118 --refer “666.666.666.666”
  • Use of hexadecimal encoding

xsser -u “victima.com” --Hex

  • Multiple injection with 5 wires and coding with mutation
xsser -u “victima.com” --Cem --threads “5”
  • Use of crawler with depth 3 and 4 pages
xsser -u “victima.com” -c3 --Cw = 4
  • Exploitation through POST
xsser -u "victima.com" -p "target_host = name & dns-lookup-php-submit-button = Lookup + DNS"

XSSER GTK

 It is a somewhat more intuitive option to use XSSer.




The tool starts with:

xsser --gtk
 
Thanks to the use of the “Wizard Helper”, guided operation can be carried out much more easily than by command line

TYPES OF XSS ATTACKS

When talking about XSS, the two most basic types are usually in mind: reflected or persistent; 

DOM XSS

Take advantage of a modified active content to take control of a DOM, which allows you to control the flow of that object, but always through its API. 

XSF

It uses the Actionscript language used to program flash applications with the intention of loading unwanted elements on the page. 

CSRF

It is an exploitation option that uses a second web to launch the attack on the vulnerable web. 

XFS

Malicious code is injected into an iframe that will be injected hiddenly in the vulnerable web.

XZS

Achieve an escalation of zone privileges in IE due to a vulnerability. 

XAS

It allows to carry out the attack thanks to the modification of the value of “User-Agent” in the header of a web application. 

XSSDoS

Use a for-type instruction within a script embedded in the page to prevent users from accessing the content. 

Flash! Attack

Another Flash-based attack that uses Macromedia Flash Plugin and Active X Control to inject malicious codes. 

Induced XSS

Unlike the other XSS attacks, this attack is carried out on the server side. 

Image Scripting

It exploits the reading of the binary parameters of an image by a server that has not been adequately protected. 

PostHeaderIcon XSSF - Cross Site Scripting Framework




Share To:

Hackerbrother

Welcome to hackerbrother is a sharing knowledge in password cracking, cracking, cryptography, programming (C++, VB, Delphi, C, Pascal, Assembly, Python, PERL, Bash and so on), network security, Linux, Windows, UNIX and more. You could have a million ideas; they are worthless if you don’t get them done From that we progressed along, I got myself a web host and made a simple site for my first real domain,https://www.hackerbrother.xyz/ was born in the year 2018

Post A Comment:

0 comments so far,add yours