XSS ATTACKS & DEFACEMENT

image

XSS
Cross Site Scripting

Today We Will Be Learning About a vulnerability called XSS/Cross Site
Scripting. Plus how to exploit it.

What is XSS?? what can I accomplish with it?

XSS is Most Commomly Found in search bars and comment boxes. We can then inject almost any type
of programming language into the website.
Whether be it Javascript, HTML or XML.

XSS is mainly directed at Javascript
injection. However, you can inject other
languages which will also affect The Contents of The Affected Webpage.

Most people use it to Deface Websites, And To also redirect Victims To malicious Filea Like Viruses, Worms and cookie loggers
and XSS shells on the website.

What Causes the vulnerability?

Poor PHP coding within text boxes and
submission forms. They were too lazy to
code it properly allowing us to inject
strings into the source code, that would
then give us the conclusion of what we put
in since it’s also in the source code. They
did not bother to filter  Or Sanitized what we type in.They allowed characters such as    “>, “, /”,

etc.

TYPES OF XSS

There are two types of XSS. Persistent and
Non-Persistent If you inject some code into
the website and it Stays Up There for A long time ie

(you leave the page and come back, and it’s
still there) then it is persistent…

That isvgood. Because When you get non-persistent it will not stay on the website, you will only see it once.

With persistent XSS you can do much
more, leave messages, redirect them, Steal Cookies etc.

With non-persistent the most you can do is
upload a cookie logger.

WHAT will you be  LEARNING Today?

The basics of XSS and cookie logging.
How to test for XSS vulnerabilities.

To test if the website is vulnerable to XSS
we want to go to a search box and inject
some Javascript. We’ve found a search box
and now we want to use Javascript to alert
a message so we can see if the Javascript
was successfully executed.

alert(‘XSS’);

IF we see a pop up message on our screen
saying “XSS”. It means The Webpage or Website we are on is Vulnerable.

In some cases, a message might not pop up.
If it doesn’t work, check the source code
and have a look at the output. Most of the
time the error requires you to make a little
change.

Okay, we have found out that it is
vulnerable. We can now move on.

How can I DEFACE a webpage with XSS?
I will be showing you methods for
persistent, and non-persistent XSS.
Persistent XSS.

First I will be starting with PERSISTENT XSS
Since it’s persistent I want to redirect my
victims to a deface page. We simply just
inject this some Javascript like we did
before:

JavaScript Code:

window.location=”http://
yourdefacepage.com/index.html”;

Remember, you can always alter the code if
it doesn’t work.

You can do many things with XSS, you just
need all the right strings. I’m only focusing
on defacing, since most people just deface
sites these days.

Non-Peraistent XSS

Okay. Obviously we can’t redirect users
with non-persistent. But with basic web-
based programming knowledge we can make a Cookie logger in Php. We may also need advanced social engineering skills for people to open our cookie logger.

How to make a Cookie Logger Tutorial Coming Soon…..

Posted From r00t @ l0wsec

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s