Page Contents
Basic Hacking Via Cross Site Scripting XSS
Cross site scripting (XSS) is a type of computer security vulnerability typically found in Web applications, such as web browsers through breaches of browser security, that enables attackers to inject client-side script into Web pages viewed by other users.
So let say that Cross Site Scripting (XSS) was a hacking method that allow attacker inject some script to web server that can affect other users that accessing that webpage.
Actually there’s 2 types of Cross Site Scripting (XSS) : Non-Persistent and Persistent (you can read it more at wikipedia), but in this tutorial we will learn about the non-persistent one.
One of my computer security classmate ask me about what will I got if I successfully found a vulnerable XSS website?, I simply can answer it’s depend; yes it is depend on how the server handle your request and how they take care the malicious data you provide to the server, but the non-persistent one is great enough to spread a malicious file to many internet users.
Requirements :
1. Found a Cross Site Scripting (XSS) vulnerable website, or
2. You can download the simple PHP file
Step by Step :
1. You can use the PHP file
that u have downloaded for you test it on your own lab(use XAMPP), but for this tutorial I will use from real website on the wild internet (do not worry, the logic was the same, once you understand it you’ll got the point)
2. Use Google to search for vulnerable website :
Google keyword : Pencarian inurl:co:id
Pencarian was Indonesian language equal to searching, you can modify the Google parameter for search the much more specific website even in your own language.
3. To find a vulnerable website,
you need to do a trial and error. I’m testing more than 5 website to test for their search feature is it vulnerable or not for XSS.
The simple method to test was using h1 and script alert ‘x’ script tag
4. If the website was vulnerable
Description :
1. I test other website and input the code h1 TEST / h1 or script alert x script on search box.
2. The result was show a heading title, but I’m not sure, then
3. I check the selection source to make sure it’s not a bold :-p
4. Oops..my query was purely processed by server without filtering 🙂
5. Now we got the vulnerable website what to do next?? Did you know that with Cross Site Scripting (XSS) you also can do a defacing to a website by injecting some code in it?(not really deface/fake)
I put this script on search box to display the fake website deface.
script document.body.innerHTML= style body visibility:hidden style div style=visibility:visible h1>THIS SITE WAS HACKED scrip
6. This Cross Site Scripting (XSS) Vulnerability also you can use to steal a session cookie,?
7. Now after we can do deface, show a heading tag, and alerting using javascript what next?
Conclusion
This is only for educational purpose do not cause any harm with this knowledge, for more exciting and interesting Hacks Follow US.
June Long Challenge 2021 Solutions
- Maximum Frequent Subarray Sum solution codechef
- Dual Distance solution codechef
- Optimal Xor Set solution codechef
- Minimum Subtree Cover solution codechef
- Minimum Dual Area solution codechef
- Bitwise Tuples solution codechef
- Shortest Route solution codechef
- Bella ciao solution codechef
- Summer Heat solution codechef
March Long Challenge 2021 Solutions
- An Interesting Sequence ISS SOLUTION
- Tree House THOUSES SOLUTION
- Valid Paths VPATH SOLUTION
- Modular Equation MODEQ SOLUTION
- Tic Tac Toe TCTCTOE SOLUTION
- Xor Equality XOREQUAL SOLUTION
- Golf LKDNGOLF SOLUTION
- Solubility SOLBLTY SOLUTION