Cross-Site Scripting (XSS) - The Bug Bounty Guide

Cross-Site Scripting (XSS) – The Bug Bounty Guide

XSS stands for Cross-Site Scripting, which is one of the attacks type on the Websites. In this article, I will be using https://xss-game.appspot.com to demonstrate how you can check for XSS bugs in different input parameters. They provide a wonderful platform where you can perform exercises on how XSS works.

Level – 1:

The first level is very basic, if you toggle the code and see how the input is…

View On WordPress

TryHackMe XSS Çözümleri

Cross-Site Scripting (XSS), zararlı kodların kontrol edilmemiş inputlar aracılığıyla web uygulamalarına enjekte edilmesiyle ortaya çıkar. 3 tür XSS tipi vardır. Bu yazıda bu türleri ve XSS saldırısı ile basitçe neler yapılabildiğini TryHackMe platformundaki XSS sorularını çözerek göreceğiz. Odaya buraya tıklayarak ulaşabilirsiniz (görülebilmesi için abonelik istenmektedir). Makineyi çalıştırdıktan sonra zafiyetli siteye giriyoruz.  

1 - Stored XSS

  Web uygulamalarında kullanıcıların girdiği verilerin veritabanına eklenmesinin kontrolsüz şekilde yapılması, stored xss saldırısına açık kapı bırakır. Veritabanına eklendiği için tarayıcıyla her açılmasında eklenen zararlı veya zararsız bütün kodlar çalışır .Şimdi soruları yanıtlayarak nasıl olduğunu görelim: İlk soruda kendi HTML tag’lerimizi girip giremediğimizi denememiz isteniyor. Örneğin:

Hey

    Yorum olarak yazabildiğimizi gördük. Sırada cookie’mizi alert ile ekrana çıkartmamız isteniyor. Yorum kısmına kendi tag’lerimizi girebildiğimize göre script tag’lerini kullanarak bu işlemi gerçekleştirebiliriz: alert(document.cookie)

  Sırada sol üstteki XSS Playground yazısını I am a hacker olarak değiştirmemiz istenmiş: Yazının üstüne sağ tıklayıp incele dediğimizde  

  yazının bulunduğu elementin “thm-title” id’sine sahip span tag’lerinin arasında olduğunu gördük. Bunu DOM ile JavaScript kullanarak değiştireceğiz. document.getElementById('thm-title').innerHTML="I am a hacker"

  Görüldüğü gibi xss ile web sitelerinin görünümünü de değiştirebiliriz. Sırada bizden cookie aracılığıyla Jack’in hesabını çalmamız isteniyor. Bunu çözerken sitenin bize kolaylık amacıyla sağladığı logs sayfasını kullanacağız:  

  Yorum kısmına geri dönüp şu andan itibaren girilen tüm cookie’lerin logs sayfasına eklenmesini bu kod ile sağlıyoruz: document.location='/log/'+document.cookie Logs sayfasına geri dönüp yenilediğimizde bir cookie bilgisi geldi. Kendimizinkini bu cookie ile değiştirince site bizi Jack sanacaktır ve böylece attığımız yorumun sahibi Jack gözükecektir: Herhangi bir yere sağ tıklayıp ince dedikten sonra Application bölümüne geliyoruz. Sol menüden cookie’yi seçip connect.sid değerini logs sayfasındaki cookie bilgisi ile değiştiriyoruz ve yorum atıyoruz:  

  Stored XSS ile Keylogger

Stored XXS zafiyeti barındıran bir web uygulaması için basit bir keylogger örneği let l = ""; // tuş kayıtlarının tutulacağı değişken document.onkeypress = function (e) { // bütün tuş değişikliklerini dinlemek için yazılmış fonksiyon l += e.key; // kullanıcının herhangi bir tuşa basışını l’ye kaydet console.log(l); // son olarak l’yi kendi sunucumuza göndermesini sağlayarak keylogger’ı tamamlayabiliriz. } Gördüğünüz gibi xss açığı bulunan bir sitede uygun script dillerini kullanarak örneğin JavaScript,VBscript… yapabileceklerin sınırı bulunmamaktadır. Stored xss ise girilen zararlı kodların depolanması nedeniyle en zararlı xss türü olarak anılmaktadır.    

2 – Reflected XSS

    Stored XSS’ten farklı olarak girdilerin kontrolsüz şekilde yapılması ancak veritabanına eklenmemesi durumunda ortaya çıkar. Örneğin kurbana gönderilen bir linkin, kurbanın tıklaması sonucu zararlı kodun bir kerelik çalıştırılması gibi. Örneklerle daha iyi anlayacağız. İlk soruda bizden reflected xss payloadı (zararlı kod) oluşturmamız, bununla ekrana “Hello” bastırmamız isteniyor. Girilen input üzerinden payloadımızı oluşturacağız. Önce deneme amacıyla herhangi bir kelimeyi arıyoruz.  

  Search’e bastığımızda linkimize göz atıyoruz  

  Client tarafında bir kontrol olup olmadığını kontrol ediyoruz. Herhangi bir filtreleme/kontrol işlemi gözükmüyor.  

  O zaman payload’ı hazırlayıp deneyelim. alert("Hello")

  Payload'ımız çalıştı.  

Aynı şeyi url üzerinden de yapabilirdik. http://10.10.145.136/reflected?keyword=alert("Hello")

  Zaten reflected xss’in daha çok böyle kullanılır. Zararlı kod içeren link kurbana mail, mesaj vs bir yolla atılır ve kurban tıkladığında kod çağırılır. Sıradaki soruda local  ip adresini ekrana yazan payload oluşturmamız istenmiş. http://10.10.145.136/reflected?keyword=alert(window.location.host)

3 – DOM-Based XSS

Bu saldırı filtreleme olmadan inputtan aldığı veriyi DOM üzerine yazdığı web uygulamalarında ortaya çıkar. DOM Based XSS sıkça yanlış anlaşılan bir XSS tipidir. Bu yanlış anlaşılmayı Ömer Çıtak, DOM Based XSS’i anlamak adlı yazısında gidermiş. Buradan yazıya ulaşabilirsiniz.  

  İlk soruda JavaScript kodunu incelememizi ve cookie bilgimizi alert ile ekrana bastırmamız istenmiş.  

  Kodda neler yapıldığını yorum satırında belirttim. Buna göre tek yapmamız gereken inputa linki verip istediğimiz eventi eklemek. https://tryhackme.com/img/THMlogo.png" onclick="alert(document.cookie);

  Kod çalıştı. Kaynağına baktığımızda doğru işlediğiniz görüyoruz  

  Diğer soruda onhover eventi ekleyerek sitenin arkaplan rengini kırmızıya çevirmemiz istenmiş https://tryhackme.com/img/THMlogo.png" onmouseover="document.body.style.backgroundColor = 'red'; https://www.siberguvenlik.web.tr/wp-content/uploads/2020/04/2020-05-07-17-22-00.mp4   Son olarak basit XSS filtrelerinin nasıl bypass edildiğini bir challenge ile görelim  

  XSS, script, onerror , onsubmit , onload , onmouseover , onfocus , onmouseout , onkeypress ve onchangealert kelimelerinin engelli olduğu bir filtreyi nasıl bypass edebiliriz? Kelimeleri her seferinde engellemediği için istediğimiz kelimelerin arasına aynı kelimeleri bir defa yazarak fazladan yazdıklarımızın engellenmesini sağlayabiliriz (alealertrt, 'XSXSSS') veya işimize yarayan ancak filtrelenmemiş kelimeler de olabilir (onclick) Tıkla

  Kaynak kodu

  Bu yazıda XSS temellerini TryHackMe’deki temel seviye problemler ile anlatmaya çalıştım. Konu ile ilgili daha ayrıntılı bilgiler için: https://owasp.org/www-community/attacks/xss/ https://portswigger.net/web-security/cross-site-scripting/reflected https://excess-xss.com/ https://medium.com/@onehackman/learning-xss-part-1-reflected-xss-brief-concept-techniques-challenge-walkthrough-85f6b165541b https://medium.com/@onehackman/learning-xss-part-2-stored-xss-85019aae41a9 Read the full article

2020 Launch! Learn how to hack like a pro by a pro. Up to date practical hacking techniques with absolutely no filler.

What you’ll learn

Practical ethical hacking and penetration testing skills

Network hacking and defenses

Active Directory exploitation tactics and defenses

Common web application attacks

How to hack wireless networks

Learn how to write a pentest report

Understand the security threats affecting networks and applications

OWASP Top 10

IT security trends

Requirements

Basic IT knowledge

For Mid-Course Capstone: A subscription to hackthebox is suggested, but not required to complete the course.

For Wireless Hacking: A wireless adapter that supports monitor mode (links provided in course).

For Active Directory Lab Build: A minimum of 16GB of RAM is suggested. Students can still participate in the course, but may experience slow lab environments.

Description

Welcome to this course on Practical Ethical Hacking.  To enjoy this course, you need nothing but a positive attitude and a desire to learn.  No prior knowledge is required.

In this course, you will learn the practical side of ethical hacking.  Too many courses teach students tools and concepts that are never used in the real world.  In this course, we will focus only on tools and topics that will make you successful as an ethical hacker.  The course is incredibly hands on and will cover many foundational topics.

In this course, we will cover:

A Day in the Life on an Ethical Hacker.  What does an ethical hacker do on a day to day basis?  How much can he or she make?  What type of assessments might an ethical hacker perform?  These questions and more will be answered.

Effective Notekeeping.  An ethical hacker is only as good as the notes he or she keeps.  We will discuss the important tools you can use to keep notes and be successful in the course and in the field.

Networking Refresher.  This section focuses on the concepts of computer networking.  We will discuss common ports and protocols, the OSI model, subnetting, and even walk through a network build with using Cisco CLI.

Introductory Linux.  Every good ethical hacker knows their way around Linux.  This section will introduce you to the basics of Linux and ramp up into building out Bash scripts to automate tasks as the course develops.

Introductory Python.  Most ethical hackers are proficient in a programming language.  This section will introduce you to one of the most commonly used languages among ethical hackers, Python.  You’ll learn the ins and outs of Python 3 and by the end, you’ll be building your own port scanner and writing exploits in Python.

Hacking Methodology. This section overviews the five stages of hacking, which we will dive deeper into as the course progresses.

Reconnaissance and Information Gathering.  You’ll learn how to dig up information on a client using open source intelligence.  Better yet, you’ll learn how to extract breached credentials from databases to perform credential stuffing attacks, hunt down subdomains during client engagements, and gather information with Burp Suite.

Scanning and Enumeration.  One of the most important topics in ethical hacking is the art of enumeration.  You’ll learn how to hunt down open ports, research for potential vulnerabilities, and learn an assortment of tools needed to perform quality enumeration.

Exploitation Basics.  Here, you’ll exploit your first machine!  We’ll learn how to use Metasploit to gain access to machines, how to perform manual exploitation using coding, perform brute force and password spraying attacks, and much more.

Mid-Course Capstone.  This section takes everything you have learned so far and challenges you with 10 vulnerable boxes that order in increasing difficulty.  You’ll learn how an attacker thinks and learn new tools and thought processes along the way.  Do you have what it takes?

Exploit Development.  This section discusses the topics of buffer overflows.  You will manually write your own code to exploit a vulnerable program and dive deep into registers to understand how overflows work.  This section includes custom script writing with Python 3.

Active Directory.  Did you know that 95% of the Fortune 1000 companies run Active Directory in their environments?  Due to this, Active Directory penetration testing is one of the most important topics you should learn and one of the least taught.  The Active Directory portion of the course focuses on several topics.  You will build out your own Active Directory lab and learn how to exploit it.  Attacks include, but are not limited to: LLMNR poisoning, SMB relays, IPv6 DNS takeovers, pass-the-hash/pass-the-password, token impersonation, kerberoasting, GPP attacks, golden ticket attacks, and much more.  You’ll also learn important tools like mimikatz, Bloodhound, and PowerView.  This is not a section to miss!

Post Exploitation.  The fourth and fifth stages of ethical hacking are covered here.  What do we do once we have exploited a machine?  How do we transfer files?  How do we pivot?  What are the best practices for maintaining access and cleaning up?

Web Application Penetration Testing.  In this section, we revisit the art of enumeration and are introduced to several new tools that will make the process easier.  You will also learn how to automate these tools utilize Bash scripting.  After the enumeration section, the course dives into the OWASP Top 10.  We will discuss attacks and defenses for each of the top 10 and perform walkthroughs using a vulnerable web applications.  Topics include: SQL Injection, Broken Authentication, Sensitive Data Exposure, XML External Entities (XXE), Broken Access Control, Security Misconfigurations, Cross-Site Scripting (XSS), Insecure Deserialization, Using Components with Known Vulnerabilities, and Insufficient Logging and Monitoring

Wireless Attacks.  Here, you will learn how to perform wireless attacks against WPA2 and compromise a wireless network in under 5 minutes.

Legal Documentation and Report Writing.  A topic that is hardly ever covered, we will dive into the legal documents you may encounter as a penetration tester, including Statements of Work, Rules of Engagement, Non-Disclosure Agreements, and Master Service Agreements.  We will also discuss report writing.  You will be provided a sample report as well as walked through a report from an actual client assessment.

Career Advice.  The course wraps up with career advice and tips for finding a job in the field.

At the end of this course, you will have a deep understanding of external and internal network penetration testing, wireless penetration testing, and web application penetration testing.  All lessons taught are from a real-world experience and what has been encountered on actual engagements in the field.

Note: This course has been created for educational purposes only.  All attacks shown were done so with given permission.  Please do not attack a host unless you have permission to do so.

Questions & Answers Team Availability and Rules

The Q&A team responds to most questions within 2 business days.  Specific Q&A rules are as follows:

1. Please encourage each other and help each other out. The support team is here to help, but are not staffed 24/7.

2. Support assistance will only be provided for course related material only. If you are using a tool or method in your labs that is not taught in the course, it is better asked in Discord on an appropriate channel outside of #course-chat.

3. Avoid spoilers for the mid-course capstone. If you are assisting another user or asking a question related to this section, please try to not provide direct answers/solutions.

4. Be kind to others and be patient. This field consists of patience, self-motivation, self-determination, and lots of Googling. Do not demand help or expect answers. That mindset will not take you far in your career. <3

Who this course is for:

Beginner students interested in ethical hacking and cybersecurity.

Created by Heath Adams, TCM Security, Inc. Last updated 4/2020 English English [Auto-generated]

Size:12.61 GB

   Download Now

https://ift.tt/2EOv54M.

The post Practical Ethical Hacking – The Complete Course appeared first on Free Course Lab.

PowerDNS Recursor HTML/Script Injection Vulnerability – A Walkthrough

PowerDNS Recursor is a high-end, high-performance resolving name server that powers the DNS resolution of at least a hundred million subscribers. The “Recursor” is one of two name server products whose primary goal is to act as resolving DNS server. On Aug. 7, 2017, I reported an XSS (cross-site scripting) vulnerability to PowerDNS and its Security Team. They assigned it the identifier CVE-2017-15092. In this report I will explain how I was able to identify and trigger the vulnerability.

The post PowerDNS Recursor HTML/Script Injection Vulnerability – A Walkthrough appeared first on Security Boulevard.

from PowerDNS Recursor HTML/Script Injection Vulnerability – A Walkthrough

#347: Using ES Modules in Node Today

This week's JavaScript news — Read this e-mail on the Web

JavaScript Weekly

Issue 347 — August 11, 2017

Use ES Modules in Node Today

@std/esm is a spec-compliant ES module loader for Node 4+ allowing you to transition more smoothly from CommonJS.

John-David Dalton

Techniques for Passing Data Between Promise Callbacks

Some approaches for sharing data between callbacks (which each have their own scope).

Dr. Axel Rauschmayer

🎉 New, Updated: Deep JavaScript Foundations with Kyle Simpson

Join Kyle Simpson, author of the popular “You Don’t Know JavaScript” book series, as he deep dives into JavaScript's core mechanics like scope, closure, this and prototypes ..plus new features in ES6 and more.

Frontend Masters   Sponsor

Next.js 3.0: The Universal React App Toolchain

The stable release of Next.js v3.0 arrived this week, bringing with it dynamic import support, static export support, code splitting and more.

Arunoda Susiripala and Tim Neutkens

Building a Simple AI Chatbot with the Web Speech API and Node

A complete walkthrough of bringing together browsers’ speech recognition support with Node and a third party natural language processing service.

Tomomi Imura

Reverse Engineering Obfuscated JavaScript (video)

A look at how one library achieves the irksome ‘pop under’ effect in Chrome 59, where others seemingly fail.

LiveOverflow

Jobs

Front End Engineer at EDITED (London)Join us to impact how the world's biggest retailers operate by making a web app with great UX and DX using React, Redux and Glamor EDITED

Developer - Web TechnologiesBroaden your impact and hone your craft; build apps from scratch for expert clients. Pick your tools: Ruby, JavaScript, Elixir… Raizlabs

Front-End JavaScript Developer (Remote) Swift Education Systems

Can't find the right job? Want companies to apply to you? Try Hired.com.

In Brief

Next js13kGames Gamedev Competition Starts This Sunday news A popular JavaScript and HTML5 coding competition for game developers.

Choose your ideal JavaScript framework with the GrapeCity SPEC App  Speed, Productivity, Ecosystem, and Compatibility. Let us help you find the best framework for your team. GrapeCity Wijmo  Sponsor

6 Ways to Detect Chrome Headless tutorial If you want to detect bots or scrapers, say. Antoine Vastel

How To Get Started with V8 Development? tutorial Franziska Hinkelmann

Closing Iterables is a Leaky Abstraction tutorial Reg Braithwaite

How Angular Protects Us From XSS Attacks tutorial Dor Moshe

The Consequences of Frozen Prototypes on V8 tutorial Benedikt Meurer

How To Build a GitHub Search UI with React tutorial Divyanshu Maithani

Aggregating Cherry-Picked Lodash Methods In An App Module tutorial Ben Nadel

A Look at the ES proposal for 'Promise.try()' tutorial Dr. Axel Rauschmayer

Reduce time spent debugging by 90%  Instantly know what's broken and why. Rollbar is monitoring, alerting, analytics for production errors. Try it. ROLLBAR  Sponsor

Why You Should Use PureScript opinion A functional language that compiles to JavaScript. Phil Freeman

An Angular Performance Checklist video Minko Gechev

Britecharts 2.0 Released tools Britecharts is Eventbrite’s D3.js component-based charting library. Marcos Iglesias

DisplayJS: A Lightweight JS Framework for Building Ambitious UIs tools Arthur Guiot

Realtime updates on web and mobile that just work  Pusher  Sponsor

Nano ID: Tiny, Secure URL-Friendly Unique String ID Generator code Andrey Sitnik

Posterus: Composable Async Primitives ('Futures') with True Cancelation code Nelo Mitranim

Ream: A Framework for Building Universal Vue.js Apps code REAM

Curated by Peter Cooper and published by Cooperpress.

Like this? You may also enjoy: FrontEnd Focus : Node Weekly : React Status

Stop getting JavaScript Weekly : Change email address : Read this issue on the Web

© Cooperpress Ltd. Fairfield Enterprise Centre, Lincoln Way, Louth, LN11 0LS, UK

by via JavaScript Weekly http://ift.tt/2uxc3cn

Hackthebox Freelancer walkthrough

Hackthebox freelancer is based on SQL injection. This CTF is pretty straight forward and gives learning about the SQLMap tool.

Here is my way to get the flag from this CTF:

The website of made out of bootstrap and php. I checked the contact form but couldn’t find anything, I was thinking at first of a stored XSS but it turns out it is not.

  I fired up Dirb after going through the website.…

View On WordPress