Hello friends today i am back with one of the most famous website hacking tutorial on "XSS Attack"
Number of worlds best sites including Microsoft,Google,Facebook, you tube and many more best company sites are vulnerable to Xss Attack.still today today also hackers from all over the world use this XSS : Cross Site Scripting to find Vulnerability on the best websites.
Here is the details tutorial on XSS/Cross Site Scripting and also how to exploit it.
What is XSS?, what can I accomplish with it?
XSS is common in search bars and comment boxes. We can then inject almost any type ofprogramming language into the website. Whether it be Javascript, HTML or XML. XSS is mainly directed at Javascript injection.
Most people use it to display messages on the website, redirect you to their defacement and even put cookie loggers and XSS shells on the website.
Reason Behind XSS vulnerability?
Poor PHP coding within text boxes and submission forms. They were too lazy to code it properly allowing us to inject strings into the source code, that would then give us the conclusion of what we put in since it's also in the source code. They did not bother to filter what we type in. They allowed characters such as ">, ", /", etc.Types of XSS
There are two types of XSS. Persistent and non-persistent. If you inject some code into the website and it sticks to the website (you leave the page and come back, and it's still there) then it is persistent. That is good. When you get non-persistent it will not stick on the website, you will only see it once. With persistent XSS you can do much more, leave messages, redirect them, etc. With non-persistent the most you can do is upload a cookie logger.We discussing here The basics of XSS and cookie logging.
Tutorial On XSS
How to test for XSS vulnerabilities.
To test if the website is vulnerable to XSS we want to go to a search box and inject some Javascript. We've found a search box and now we want to use Javascript to alert a message so we can see if the Javascript was successfully executed.
**<*script*>alert('XSS');
(Important:Please remove "*" or type the above text on search box without "*")
Now we will see a pop up message "XSS"shown In picture
Click here to see image
In some cases, a message might not pop up. If it doesn't work, check the source code and have a look at the output. Most of the time the error requires you to make a little change.
"*>* (Important:Please remove '*' or type the above text on search box without '*') Now, we have found out that it is vulnerable.Lets go to next step.
deface/Hacking a webpage with XSS?
Here is the important part that explain defacing website i have methods for both persistent, and non-persistent XSS.Persistent XSS.
First I will be starting with persistent XSS. Since it's persistent I want to redirect my victims to a deface page. We simply just inject this some more Javascript like we did before:<*script*>window.location="*http://yourdefacepage.com/index.html";<*/script*>(Important:Please remove '*' or type the above text on search box without '*') Remember, you can always alter the code if it doesn't work. You can do many things with XSS, you just need all the right strings. I'm only focusing on defacing, since most people just deface sites these days.Non-persistent XSS.
Obviously we can't redirect users with non-persistent. But with basic web-based programming knowledge we can make a cookie logger. We may also need advanced social engineering skills for people to open our cookie logger.
No comments:
Post a Comment