After writing post on website hacking tutorials such as Hacking Website Database, SQL Injection and CSRF, many readers requested us to Post tutorials on XSS. So here we will Post all types of XSS tutorials but in 3 Pack, I mean Pack 1= Beginner and Basic XSS, Pack 2= Medium Level and Pack 3= Advanced XSS attack. So let's start with Pack 1
Note :- XSS Pack-1 Contain Introduction, Explanation, and one Basic XSS Hacking tutorial.
? What is XSS ?
Cross site Scripting is also Called XSS, is one of the Common Vulnerability and Flaw in web applications which allows an attacker to run their own Script (Code) like
HTML, Javascript on webpage and an attacker insert their own Script on webpage's and when any normal user visit it, then the crafted link by attacker start working and an attacker can do following attacks through XSS :-
HTML, Javascript on webpage and an attacker insert their own Script on webpage's and when any normal user visit it, then the crafted link by attacker start working and an attacker can do following attacks through XSS :-
? Stealing the Identity and Confidential Data(credit card details).
? Bypassing restriction in websites.
? Session Hijacking(Stealing session)
? Phishing attacks
? Malware Attack
? Website Defacement
? Denial of Service attacks(Dos)
? Bypassing restriction in websites.
? Session Hijacking(Stealing session)
? Phishing attacks
? Malware Attack
? Website Defacement
? Denial of Service attacks(Dos)
XSS allows an attacker to run their own script on any webpages, which is viewed by other normal users, Basically XSS flaw founds in many websites. Read Below example to understand how XSS Works and how an attacker can use XSS Vulnerability.
Example 1 :-
? Types of XSS ?
- Persistent (Stored)
- Non-Persistent (Reflected)
- DOM Based XSS
# Persistent (Stored)
Persistent is also called Stored XSS Flaw. In Persistent Vulnerability
whatever an attacker insert malicious script it stored into Database and then it will run permanently on webpage. As you must read above (Example 1) -- that is Persistent XSS.
# Non-Persistent (Reflected)
Non-Persistent is also Called Reflected XSS flaw in web application, is
is the most common XSS vulnerability found in many websites. In Non-Persistent attack an attacker inject code and it sends to a server via HTTP request, The server embedd the input with the html file and return the file(HTTP Response) to browser. When the browser executes the HTML file, it also execute the embedded script. This kind of XSS vulnerability frequently occur in search fields. Non-Persistent executed through Javascript Injection Code and it's not stored in Database it will just send Injection code via HTTP to server and server reflect with the same Script to user and when an attacker send it to any normal users he will see something different Javascript embed into websites and an attackers use that Vulnerability to Phishing, Cookie Logging, Session hijacking etc.
# DOM Based XSS
DOM Based XSS is third Party and Advanced XSS attacks that, I'll Explain in Pack -2
? XSS Vulnerability and Exploitation.
1. Non- Persistent XSS Exploitation tutorial
# Requirements :-
.png)
Pack 2 Will release soon with More Advanced XSS attacks and Exploitation
# Requirements :-
- Strong Knowledge in HTML
- Medium Level Knowledge of Javascript
- Basic Knowledge about HTTP Client Server and Architecture and PHP, ASP, JSP
- OWASP Xenotix XSS Exploiter Framework {XSS Exploiter}
- XSS Dorks
- Vulnerable Website
Note :- Below tutorial is an Simple Non-Persistent XSS Exploitation, Use at your own risk
# XSS Vulnerable Website and Exploitation
Basically, hackers uses Google Dorks and Web Vulnerability Scanners
to find Vulnerable websites, Download XSS Dorks List from here, and searh on Google after getting Vulnerable website and Scan it and find Exploitation Script using Xenotix XSS Exploiter.
Well, Scan it and Click on Maual code and test code one by one until you get above Error Message and After that Test for XSS vulnerability Exploitation Point do the same maul mode one by one and click on go at every test until you get a Message from Webpage --
Click on Image to Enlarge it
and manually inject all dorks one by one --- and if you will get above error just put this Javascript after website vulnerable Link :-
/search.php?search=<font%20color=green <h1>hacked%20by%20hack%20w0rm</h1></font>
For Example :-
http://www.targetwebsite.com/photo-gallery.php?id=1/search.php?search=<font%20color=green><h1>hacked%20by%20hack%20w0rm</h1></font>
You can also Inject Script with Images as, I did Click here to go to my XSS Hacked website Click Here
using that Vulnerable website you can also Inject own Script :) and Practice XSS.
And Suppose if you find any types of Vulnerability in Website that contain Login types and form then you can also Steal Cookies and Deface website. That I'll teach you in Pack-2.
Note :- This is for Educational Purpose only, I'll be not responsible for any XSS attack performed by any Reader
Pack 2 Will release soon with More Advanced XSS attacks and Exploitation
No comments:
Post a Comment