Xss Explaination , How can an XSS vulnurable website Hack ??

Share This

Hey Guys,

Cross Site Scripting aka XSS is one of the common vulnerability in any web application. so today i'll explain you what exactly XSS is and how we can use this vulnerability to blow any web app who is suffering from this vulnerability.

What is XSS (Cross Site Scripting)- As i have mentioned above it is one of the common vulnerability in web app which allows Hacker or Attacker to insert malicious code into web app.using this vulnerability hacker can also change the index page by adding some code into url. this kind of venerability is also helpful for attacker to bypass web security and can also applicable in "Phishing" on falls user.

Xss Types : This vulnerability allows 3 types of XSS attacks given below :-

1.DOM Based 

2.NON Persistent 

3.Persistent

What is "DOM Based XSS" ??

DOM (Document Object Model Based) XSS use by an Attacker to work on victim's local machine not on a website.various operating systems usually includes HTML pages created for different purpose but as long as humans do mistakes this HTML pages often can be exploited due to code vulnerabilities.

DOM Based XSS Affect victim's local machine in this ways :

- The attacker creates a well builded malicious website

- The ingenuous user opens that site

- The user has a vulnerable page on his machine

- The attacker’s website sends commands to the vulnerable HTML page

- The vulnerable local page execute that commands with the user’s privileges

on that machine.

- The attacker easily gain control on the victim computer.

Non-Persistent : This is the most common vulnerability can be found in WebApp. It's name Justify its process as it works on an immediate HTTP response from victim website.

It show up when webpage get the data feed by attacker .it will generate a result page 

for the attacker himself. out of this attacker can provide any malicious code and try to make the server executable in order to obtain some result.

we can get such websites which is vulnerable for this NON Persistent XSS.

 Persistent : The persistent XSS vulnerabilities are Similar like (Non-persistent XSS), as a result of each works on a victim web site and tries to hack users informations and therefore the distinction is that in websites susceptible to Persistent XSS the offender doesn’t got to give the crafted address to the users, as a result of the web site itself permits to users to insert mounted knowledge into the system: this is often the case for instance of “guestbooks”. typically the users uses that sort of tool to go away messages to the closely-held of the web site and at a primary look it doesn’t appears one thing dangerous, however if Hacker discover that the system is vulnerable will insert some malicious code in his message and let ALL guests to be victim of that.

This works once the tool provided (the guestbook within the example) doesn’t do any check on the content of the inserted message: it simply inserts the info provided from the user into the result page.

How to notice XSS Vulnerbilitys ?

Well begin to finding these vulnerbilitys you'll be able to start finding out Blogs, Forums, Shoutboxes, Comment Boxes, Search Box’s, there are too several to say.

Using ‘Google Dorks’ to form the finding easyier, Ok if you wanna get down, goto google.com and search inurl:”search.php?q=” currently that's a typical page and has alot of results. additionally note that the majority sites have XSS vulnerbilitys, its simply having a decent eye, and a few smart information on the way to bypass there filteration.

Basics of XSS

Well currently lets begin learning some Actual ways, the foremost common used XSS injection is :

alert(”The Hacker News”)

now this can alert a popup message, locution “The Hacker News” while not quotes.

So,use “search.php?q=” and you'll straightforward strive the subsequent on an internet site with a similar issue,

http://website.com/search.php?q=alert(”Technoparadise.in”)

there square measure smart possibilities of it operating, however dont be disturbed if it dont, simply strive diffrent sites. you'll insert HTML not simply javascript :

http://website.com/search.php?q=

if you see the daring text on the page and newlines then you is aware of its vulnerable.

now a way to deface an internet site exploitation XSS …

njoy 

Here is two examples

http://tinyurl.com/6swssbv
http://tinyurl.com/6n73m25

This Post is only for Educational purpose.it does not relate with any hacking attempt on any website by anyone.