BEGINNER GUIDE TO CROSS SITE SCRIPTING (XSS) - HACKING Begins

    • October 16, 2011

    Home Unlabelled BEGINNER GUIDE TO CROSS SITE SCRIPTING (XSS)

    BEGINNER GUIDE TO CROSS SITE SCRIPTING (XSS)

    Welcome to "HACKING begins - An approach to introduce people with the truth of HACKING".

    Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications that enables attackers to inject client-side script into Web pages viewed by other users.  It is one of the Top Web Application Vulnerability. Using this vulnerability an attacker can inject malicious
    codes, leads to malware attack, phishing and session .

    XSS Vulnerability and Injection:

    Step 1: Finding Vulnerable Website 

    Finding the XSS vulnerable website is not a big deal. Google for Dork  inurl:"search.php?q=" or inurl:"search.php?error=".


    Step 2: Testing the Vulnerability

    In order to test the vulnerability, we need  to find a POST or Get parameter. It is just input methods that will be send to server.  To try it on websites there are two methods one is to enter malicious script in input field like username or search box. Another method is to inject script in URL. 

     

    Method 1:  Injection in form box

     An attacker can enter the malcious script inside the search box and click the search button.  This will lead to run the malicious script inside that website.

    <script>alert("xyz");</script> put this code in search box.

    <script> : The script tag is used to define the client side script. It may contain scripting elements.
    alert : Its is a function to pop-up a dialog box , it is nothing but a simple window containing a message in double quotes
    </script> : Its is use for end of Script.

     

    Method 2 : Injecting in Url

     In this method , we have to put code in url.

    For Example: www.victim.com/search?q=<script>alert("hi")</script> 

    If it shows "Hi" message in popup box, then it is vulnerable to XSS.


    Types of XSS Based on persisting capability:

     

    Non-persistent : Malicious code is embedded on the page which is echoed immediately following the request.

     

    Persistent : The malicious code is stored on the server for a later time. 

     

    Local XSS : This one is one of the basic types of XSS attack. This requires Exploits for Browser vulnerability … Using this attack the hacker can install spam bots, Different worms and also Backdoors on your Computer. 

    What can an attacker do with this Vulnerability?

    • Stealing the Identity and Confidential Data(credit card details).
    • Bypassing restriction in websites.
    • Session Hijacking(Stealing session)
    • Malware Attack
    • Website Defacement.
    • DOS attack.
    • Iframe Phishing
    • Inject a Phishing script
    For Testing : Try http://testasp.vulnweb.com/Search.asp
    Go to this link and try different scripts and run on it for Demo.

    Dork List for XSS 
    1. inurl:search.php?q=
    2. inurl:com_feedpostold/feedpost.php?url=
    3. inurl:scrapbook.php?id=
    4. inurl:headersearch.php?sid=
    5. inurl:/poll/default.asp?catid=
    6. inurl:/search_results.php?search=
    7. Inurl:/preaspjobboard//Employee/emp_login.asp?msg1=
    8. inurl: /pages/match_report.php?mid= pages/match_report.php?mid=

     

    Hope you like it and please suggest us for new post.  

    Thanks and Regards  
    Sahil Mahajan C|EH

    Share This
    Author Image

    About Unknown

    By at

    3 comments:

    1. beginner hackerOctober 20, 2011 at 8:31 AM

      i like it

      ReplyDelete
    2. AnonymousNovember 5, 2012 at 9:34 PM

      sir i dint understand wat u mean by ''google for dork''

      ReplyDelete
    3. Cross Site ScriptingFebruary 9, 2017 at 6:58 PM

      Your blog is very interesting and as you explain how hacker use XSS to hack a website. But you never told how to protect website from such danger.

      ReplyDelete

    I hope you got some great ideas in this post! Please feel free to share additional ideas or query.

    Subscribe to: Post Comments (Atom)