Cross Site Scripting
Today We Will Be Learning About a vulnerability called XSS/Cross Site
Scripting. Plus how to exploit it.
What is XSS?? what can I accomplish with it?
XSS is Most Commomly Found in search bars and comment boxes. We can then inject almost any type
of programming language into the website.
injection. However, you can inject other
languages which will also affect The Contents of The Affected Webpage.
Most people use it to Deface Websites, And To also redirect Victims To malicious Filea Like Viruses, Worms and cookie loggers
and XSS shells on the website.
What Causes the vulnerability?
Poor PHP coding within text boxes and
submission forms. They were too lazy to
code it properly allowing us to inject
strings into the source code, that would
then give us the conclusion of what we put
in since it’s also in the source code. They
did not bother to filter Or Sanitized what we type in.They allowed characters such as “>, “, /”,
TYPES OF XSS
There are two types of XSS. Persistent and
Non-Persistent If you inject some code into
the website and it Stays Up There for A long time ie
(you leave the page and come back, and it’s
still there) then it is persistent…
That isvgood. Because When you get non-persistent it will not stay on the website, you will only see it once.
With persistent XSS you can do much
more, leave messages, redirect them, Steal Cookies etc.
With non-persistent the most you can do is
upload a cookie logger.
WHAT will you be LEARNING Today?
The basics of XSS and cookie logging.
How to test for XSS vulnerabilities.
To test if the website is vulnerable to XSS
we want to go to a search box and inject
was successfully executed.
IF we see a pop up message on our screen
saying “XSS”. It means The Webpage or Website we are on is Vulnerable.
In some cases, a message might not pop up.
If it doesn’t work, check the source code
and have a look at the output. Most of the
time the error requires you to make a little
Okay, we have found out that it is
vulnerable. We can now move on.
How can I DEFACE a webpage with XSS?
I will be showing you methods for
persistent, and non-persistent XSS.
First I will be starting with PERSISTENT XSS
Since it’s persistent I want to redirect my
victims to a deface page. We simply just
Remember, you can always alter the code if
it doesn’t work.
You can do many things with XSS, you just
need all the right strings. I’m only focusing
on defacing, since most people just deface
sites these days.
Okay. Obviously we can’t redirect users
with non-persistent. But with basic web-
based programming knowledge we can make a Cookie logger in Php. We may also need advanced social engineering skills for people to open our cookie logger.
How to make a Cookie Logger Tutorial Coming Soon…..
Posted From r00t @ l0wsec