Saturday, November 9, 2013

Use 404 or Lazy Tips to finding XSS

In my opinion usefulness of an XSS on a random website is next to nothing. What are you going to do with XSS on your local school website? Stil da kookies?
So either you should look for XSS on a major website or find tons of random XSSes in hope some of them will turn out to be any useful.


https://gist.github.com/homakov/7384127

What is a Lazy technique? Only one GET request is required to check if there's XSS. Here are lazy techniques i have in mind:
  1. Developers don't spend much time on 404 pages. So there's >0% chance 404 page reflects unescaped input. The script above does simply GETs sitename.com/<img src=yolo onerror=alert(0)> and checks if the response body has the payload. Easy right?
  2. There are also 5xx errors, try playing with HPP (x[]=1&x[hash]=1) 
  3. Don't forget about 414 error (send super long payload). 
  4. site.com/#<img src=x> for $(location.hash) might work too but you need to catch alert execution in runtime.
  5. please share other lazy tricks you know! 

So I took the first 1k of Alexa and apparently 10+ are vulnerable (wikia, rottentomatoes etc). The script is not perfect (if status code is 404 it doesn't check the body) — feel free to improve it. For 1kk output might be 10k+ of vulnerable websites having PR more than 1. PROFITZ.

Here you can take Alexa top 1 000 000 in CSV

And make some money. For (black) SEO purposes you can make the google bot visit popular-website.com/<a href=//yoursite.com>GOOD</a> etc.
Also send some cheap human traffic on the XSSed pages and dump the page (with tokens in it) +  document.cookie to analyse / data mine it, hoping to find something useful.

So the recipe is simple: take that 1 million, create a lazy XSS pattern (consider more comprehensive patterns, ?redirect_to=..) then use the XSSed page for SEO / stealing cookies.

Completely hassle free way to find bugs. Oh, also check out the Sakurity Hustlers - Bug Hunters Top.

7 comments:

  1. Replies
    1. that's a node.js script. node script.js will run it.
      welcome if you call this a gift :D

      Delete
  2. Hello,

    I'm kinda newbie in all that staff :D

    Could you explain how that kind of XSS can be dangerous for other people than hacker, I mean if you inject your script in 404 page you will be the only one who will run that script, am I missing something (propably yes :D )

    cheers

    ReplyDelete
  3. About "black seo". Does google bot care about error pages(404,500)?

    AFAIK, if "404 page" contains some indexing content it should return 301 status code. It's not about real 404 pages, but it's about some seo tips :)

    ReplyDelete
  4. I've never heard of the 414 error. Does it have to do with content reflection in the response?

    ReplyDelete
    Replies
    1. Mostly no. But this is interesting error (URI is too long).

      Delete