BASIC type of XSS WITH PRACTICAL FOR NOOBIES.... LETS START.......... What is XSS? Xss stands for Cross-site-Scripting and is a web hacking method where you inject HTML or Javascript on the web-page. This attack can be done by submitting queries into text boxes or simply in the URL. The result will be the website reads your query and executes it. Xss is a very powerful method, it can be used to steal someones cookies. Or you can use some social-engineering to manipulate people to download a virus that you have created. Such as a Botnet, RAT or even a keylogger. Xss can be a very powerful attack method but can also be very mild. Most of the xss attacks are mild. You can use an alert box to show that the site is vulnerable, you can do this to show the admin that his site is vulnerable. I’m going to give you a few examples of what xss can be used for and how powerful xss can be. What is HTML HTML stands for Hypertext Markup Language, and is the main markup language in websites. HTML is much like a programming language they are both languages, that are used to create attributes and events. You can use HTML to create forms, buttons, and other stuff that can be used in a web page. I highly doubt you will ever encounter a website that does not contain even a slight amount of HTML. What is Javascript? First of all there is a HUGE difference between Javascript and Java. Java is a programming language that are fairly similar to c++ and are used to create games and applications. Javascript isn’t used nearly as much as HTML. It is used more in applications outside of the website. Javascript can be an incredibly useful language among with HTML and they are both two languages you can’t get pass if you want to master XSS or hack websites. Your first xss attack In this section i will teach you how to perform a XSS attack and how to find XSS vulnerabilities. If you already know the basic of xss you can skip this part. So where can you find xss vulnerabilities? They are found in search boxes, url’s, signup forms etc. Basically in every text area where you can input something. So lets take the most used basic query of all time and paste it in the search box. Code: alert("xss") That little script is HTML and will basically make an alert box saying xss. If you get a pop up box saying “xss”, you have successfully performed your first xss attack. You can make it saying something else by simply editing the part that says “xss”. ex. Code: alert(“you text goes here”) But what if nothing happens? Don’t worry that just means they have installed a filter that checks for malicious (dangerous) content, like HTML and Javascript. It will therefore block the script and preventing it from executing. But fortunately there are methods to bypass the filter. We can do that by encrypting the script. We will be using a little function called “String.FromCharCode”. It will encrypt the script into ASCII. An example of this could be: Code: alert(String.fromCharCode(88,83,83)) That script is doing the exactly same thing as this script: Code: alert(“xss”) Advanced xss In this section i will show you how to use xss in malicious ways. But remember all malicious attacks sent to a website, server etc. is illegal and can be prosecuted. I will not be responsible for what you are using this information to. Cookie logger: A cookie logger is used to log the targets cookies in a .txt file. This is the most malicious thing we can do with a non-persistent xss. The way i am going to show you is a three steps method. First of setup an account on a free hosting service. Personally i find 000webhost/ or serversfree/ as the best. Once you done that create a file on the root folder and call it CookieLogger.txt leave the text file empty. It is in that file the cookie logger will save the cookies it logs. Now create another file called CookieLogger.php remember the extension .php . In that file insert this code: PHP Code:
Posted on: Tue, 23 Jul 2013 15:50:20 +0000
Trending Topics
Recently Viewed Topics
© 2015