Blogger Widgets

Saturday, 19 October 2013

Cross Site Scripting (XSS) #XSS #Infosec #Vulnerability #Pentesting #Hacking #Website #Defacing



It is a vulnerability found in websites which allows an malicious attack/cracker to inject client-side scripts into the web pages. By using this vulnerability an attaker can deface a website, redirection attacks can be done and session cookie stealing is also possible by exploiting this vulnerability.
There are two types of XSS vulnerability found in web applications.
1. Non-persistent
2. Persistent

Non-persistent
Non-persistent type of XSS vulnerability is the most common one. Non-persistent XSS happens when a malicious HTML query is done by an attacker and that query is used immediately by the server-side to generate the page result.

Persistent
Persistent type of XSS vulnerability is a dangerous kind of vulnerability. This happens when a malicious HTML query is done by the attacker and that query is immediately saved by the server and is permanently displayed on the normal pages. 
In this tutorial we're going to learn how to deface a XSS vulnerable site via Non-persistent XSS vulnerability.

In order to find sites vulnerable to XSS use Google dorks. The most common Google dork used by attackers to exploit the XSS vulnerability is: inurl:search.php?q=

How to find if the website is XSS vulnerable or not. Example Website: "www.website.com/search.php?q="
Open the website, you will find a search box. in that search box type this code: <script>alert("XSS Detected !!")</script>

And click on search. If the site is vulnerable, you will get a Jquery box saying "XSS Detected", if you got that you can move forward to deface the website site. Now if you want just to display a simple message like
"H4CK3D", Enter the below HTML code and click on search. <h1><center><b>Hacked by RY44ND4V15</h1></center></b>

No comments:

Post a Comment