Just learned XSS but i dont think its affective here is the tutorial.....
To test if the website is vulnerable to XSS we want to go to a search box and inject some Javascript. We've found a search box and now we want to use Javascript to alert a message so we can see if the Javascript was successfully executed.
**<*script*>alert('XSS');</*script*>
(remove every * )
We now see a pop up message on our screen saying "XSS". This is what it should look like:http://img845.imageshack.us/img845/7924/xss1.png
In some cases, a message might not pop up. If it doesn't work, check the source code and have a look at the output. Most of the time the error requires you to make a little change.
"*>*<script*>alert('XSS');</*script*>
(remove every * )
Okay, we have found out that it is vulnerable. We can now move on.
How can I deface a webpage with XSS?
I will be showing you methods for persistent, and non-persistent XSS.
Persistent XSS.
First I will be starting with persistent XSS. Since it's persistent I want to redirect my victims to a deface page. We simply just inject this some more Javascript like we did before:
<*script*>window.location="*http://yourdefacepage.com/index.html";<*/script*>
(remove every * )
Remember, you can always alter the code if it doesn't work.
You can do many things with XSS, you just need all the right strings. I'm only focusing on defacing, since most people just deface sites these days.
Non-persistent XSS.
Okay. Obviously we can't redirect users with non-persistent. But with basic web-based programming knowledge we can make a cookie logger. We may also need advanced social engineering skills for people to open our cookie logger.
To test if the website is vulnerable to XSS we want to go to a search box and inject some Javascript. We've found a search box and now we want to use Javascript to alert a message so we can see if the Javascript was successfully executed.
**<*script*>alert('XSS');</*script*>
(remove every * )
We now see a pop up message on our screen saying "XSS". This is what it should look like:http://img845.imageshack.us/img845/7924/xss1.png
In some cases, a message might not pop up. If it doesn't work, check the source code and have a look at the output. Most of the time the error requires you to make a little change.
"*>*<script*>alert('XSS');</*script*>
(remove every * )
Okay, we have found out that it is vulnerable. We can now move on.
How can I deface a webpage with XSS?
I will be showing you methods for persistent, and non-persistent XSS.
Persistent XSS.
First I will be starting with persistent XSS. Since it's persistent I want to redirect my victims to a deface page. We simply just inject this some more Javascript like we did before:
<*script*>window.location="*http://yourdefacepage.com/index.html";<*/script*>
(remove every * )
Remember, you can always alter the code if it doesn't work.
You can do many things with XSS, you just need all the right strings. I'm only focusing on defacing, since most people just deface sites these days.
Non-persistent XSS.
Okay. Obviously we can't redirect users with non-persistent. But with basic web-based programming knowledge we can make a cookie logger. We may also need advanced social engineering skills for people to open our cookie logger.
