Page Contents
Basic Hacking Via Cross Site Scripting XSS
Cross site scripting (XSS) is a type of computer security vulnerability typically found in Web applications, such as web browsers through breaches of browser security, that enables attackers to inject client-side script into Web pages viewed by other users.
Â
So let say that Cross Site Scripting (XSS) was a hacking method that allow attacker inject some script to web server that can affect other users that accessing that webpage.
Â
Actually there’s 2 types of Cross Site Scripting (XSS) : Non-Persistent and Persistent (you can read it more at wikipedia), but in this tutorial we will learn about the non-persistent one.
One of my computer security classmate ask me about what will I got if I successfully found a vulnerable XSS website?, I simply can answer it’s depend; yes it is depend on how the server handle your request and how they take care the malicious data you provide to the server, but the non-persistent one is great enough to spread a malicious file to many internet users.
Â
Requirements :
1. Found a Cross Site Scripting (XSS) vulnerable website, or
Â
2. You can download the simple PHP file
Â
Step by Step :
Â
1. You can use the PHP fileÂ
that u have downloaded for you test it on your own lab(use XAMPP), but for this tutorial I will use from real website on the wild internet (do not worry, the logic was the same, once you understand it you’ll got the point) Â
Â
Â
2. Use Google to search for vulnerable website :
Â
Google keyword : Pencarian inurl:co:id
Â
Pencarian was Indonesian language equal to searching, you can modify the Google parameter for search the much more specific website even in your own language.
Â
3. To find a vulnerable website,Â
you need to do a trial and error. I’m testing more than 5 website to test for their search feature is it vulnerable or not for XSS.
Â
The simple method to test was using h1 and script alert ‘x’ script tag
Â
Â
4. If the website was vulnerable
Description :
1. I test other website and input the code h1 TEST / h1 or script alert x script on search box.
Â
2. The result was show a heading title, but I’m not sure, then
Â
3. I check the selection source to make sure it’s not a bold :-p
Â
4. Oops..my query was purely processed by server without filtering 🙂
Â
5. Now we got the vulnerable website what to do next?? Did you know that with Cross Site Scripting (XSS) you also can do a defacing to a website by injecting some code in it?(not really deface/fake)
Â
I put this script on search box to display the fake website deface.
Â
script document.body.innerHTML= style body visibility:hidden style div style=visibility:visible h1>THIS SITE WAS HACKED scrip
Â
6. This Cross Site Scripting (XSS) Vulnerability also you can use to steal a session cookie,?
Â
7. Now after we can do deface, show a heading tag, and alerting using javascript what next?
Â
Conclusion
This is only for educational purpose do not cause any harm with this knowledge, for more exciting and interesting Hacks Follow US.
June Long Challenge 2021 Solutions
- Maximum Frequent Subarray Sum solution codechef
- Dual Distance solution codechef
- Optimal Xor Set solution codechef
- Minimum Subtree Cover solution codechef
- Minimum Dual Area solution codechef
- Bitwise Tuples solution codechef
- Shortest Route solution codechef
- Bella ciao solution codechef
- Summer Heat solution codechef
March Long Challenge 2021 Solutions
- An Interesting Sequence ISS SOLUTION
- Tree House THOUSES SOLUTION
- Valid Paths VPATH SOLUTION
- Modular Equation MODEQ SOLUTION
- Tic Tac Toe TCTCTOE SOLUTION
- Xor Equality XOREQUAL SOLUTION
- Golf LKDNGOLF SOLUTION
- Solubility SOLBLTY SOLUTION