this tut is for educational purpose only..m not at all responsible if some1 uses it intenionally or unintenionally to harm anyone.im not at all responsible for any crime or mischief caused…
What is XSS ?
‘XSS’ also known as ‘CSS’ - Cross Site Scripting. It is a very common vulnerbility found in Web Applications, ‘XSS’ allows the attacker to INSERT malicous code, There are many types of XSS attacks, I will mention 3 of the most used. This kind of vulnerability allows an “attacker” to inject some code into the applications affected in order to bypass access to the website or to apply “phishing” on falls users.
Types of XSS
There are actually three types of Cross-Site Scripting, commonly named as:
- DOM-Based XSS
- Non-persistent XSS
- Persistent XSS
DOM-Based : The DOM-Based Cross-Site Scripting allow to an attacker to work not on a victim website but on a victim local machine: the various operative system usually includes “since born” some HTML pages created for differents aims, but as long as the humans do mistakes this HTML pages often can be exploited due to code vulnerabilities.
The DOM-Based XSS exploits these problems on users local machines in this way:
- The attacker creates a well builded malicious website
- The ingenuous user opens that site
- The user has a vulnerable page on his machine
- The attacker’s website sends commands to the vulnerable HTML page
- The vulnerable local page execute that commands with the user’s privileges
on that machine.
- The attacker easily gain control on the victim computer.
Non-Persistent : The non-persistent XSS are actually the most commons vulnerabilities that can be found on the Net. It’s commonly named as “non-persistent” because it works on an immediate HTTP response from the victim website: it show up when the webpage get the data provided by the attacker’s client to automatically generate a result page for the attackers himself. Standing on this the attacker could provide some malicious code and try to make the server execute it in order to obtain some result.
The most common applying of this kind of vulnerability is in Search engines in website: the attacker writes some arbitrary HTML code in the search textbox and, if the website is vulnerable, the result page will return the result of these HTML entities.
Persistent : The persistent XSS vulnerabilities are similar to the second type (Non-persistent XSS), because both works on a victim site and tries to hack users informations and the difference is that in websites vulnerables to Persistent XSS the attacker doesn’t need to provide the crafted url to the users, because the website itself permits to users to insert fixed data into the system: this is the case for example of “guestbooks”. Usually the users uses that kind of tool to leave messages to the owned of the website and at a first look it doesn’t seems something dangerous, but if an attacker discover that the system is vulnerable can insert some malicious code in his message and let ALL visitors to be victim of that.
This works when the tool provided (the guestbook in the example) doesn’t do any check on the content of the inserted message: it just inserts the data provided from the user into the result page.
How to Find XSS Vulnerbilitys ?
Well to start finding these vulnerbilitys you can start checking out Blogs, Forums, Shoutboxes, Comment Boxes, Search Box’s, there are too many to mention.
Using ‘Google Dorks’ to make the finding easyier, Ok if you wanna get cracking, goto google.com and type inurl:”search.php?q=” now that is a common page and has alot of results. Also note that most sites have XSS vulnerbilitys, its just having a good eye, and some good knowledge on how to bypass there filteration.
Basics of XSS
Well now lets start learning some Actual Methods, the most common used XSS injection is :
alert(”The Hacker News”)
now this will alert a popup message, saying “The Hacker News” without quotes.
So,use “search.php?q=” and you can simple try the following on a website with the same thing,
http://website.com/search.php?q=alert(”The Hacker News”)
there are good chances of it working, but dont be worried if it dont, just try diffrent sites. You can insert HTML not just javascript :
http://website.com/search.php?q=
The Hacker News
if you see the bold text on the page and newlines then you knows its vulnerable.
now how to deface a website using XXS im leaving on u……
njoy:)
remember:-olwaz hack to learnr,neve learn to hack….
No comments:
Post a Comment