Skip to main content

XSS(Cross Site Scripting) Part 1:


Hello Everyone,
Today I am going to share with you some basic methods of XSS attack.
XSS or Cross Site Scripting is a vulnerability found in web application. It is method by which malicious script is injected into the the websites .These type of attacks is made by injecting some code written in client side scripting code like Javascript or VBscript .And once the code is executed in the browser side it can be used to perform attacks like generating popups , cookie stealing and as well as website defacement.
XSS can be divided into 3 different category 

  • Non Persistent 
  • Persistent
  • DOM Based

In this tutorial I am going to discuss mainly on Non Persistent XSS attacks. The other techniques will be presented in separate tutorial.

CAUTION
"This tutorial should be used for educational purpose only. I won't be responsible if you misuse this techniques and get yourself in trouble.Performing such attacks without the permission of the owner can lead to serious trouble.Most of the websites uses IDS to check the input sent by the user.Any malicious script if detected by these IDS coming from your IP then your IP will be logged and henceforth  blocked"



Prerequisites of this Tutorial:
  • Knowledge on PHP .
  • Knowledge on HTML & JavaScript.
  • Knowledge on Form Processing in HTML.

Non Persistent XSS
Non Persistent XSS attacks are caused due to improper filtering / no filtering of the input sent by the user.They generally does not cause much harm but they can be used to extract information stored in cookies and can be also used for many other purposes.


Scenario
This a simple web application that is developed using PHP and HTML. The working mechanism is simple. It asks for a user input and then displays the input  .

Now lets have a look at the HTML code.


Here we are using POST method to send the input information to the target page display.[hp which is written in PHP .Lets analyze the PHP code of display.php



Now we can see that there is no filtering of the input and and input is directly displayed.
Now I are going to inject some malicious code into the input

 Here is my malicious code which I am going to inject in the input field.
                 <script language="javascript">alert("You are hacked");</script>

 And here is what I get in the browser.


Now we see a popup. 
The reason why this popup executes is simple . When the injected code is passed ,the browser have no idea if its malicious or not,it just executes it just like a normal javascript code. Now when this code is executed we see this popup. Now you might have a question in your mind how this can be harmful . Well I will explain you it in later posts after I cover the remaining 2 types of XSS.
---------------------------------------------------------------------------------------------

Popular posts from this blog

KringleCon : Sans Holiday Hack 2018 Writeup

SANS HOLIDAY HACK 2018 Writeup , KRINGLECON The objectives  Orientation Challenge  Directory Browsing  de Bruijn Sequences  Data Repo Analysis  AD Privilege Discovery  Badge Manipulation  HR Incident Response  Network Traffic Forensics  Ransomware Recovery  Who Is Behind It All? First I go to Bushy Evergreen and try to solve the terminal challenge . Solving it is fairly easy , Escape_Key followed by  ":q" without quotes After this we move to the kiosk and solve the questions The question were based on the themes of previous Holiday Hack Challenges. Once we answer it correctly we get the flag. For this I visited Minty Candycane and I tried to solve the terminal challenge.  The application has command injection vulnerability , so injecting a system command with the server ip allows execution of the command. So first I perform an `ls` operation to list of the directory contents , followed by a cat of t
Read more

Linux Privilege Escalation : SUID Binaries

After my OSCP Lab days are over I decided to do a little research and learn more on Privilege Escalation as it is my weak area.So over some series of blog post I am going to share with you some information of what I have learnt so far. The methods mentioned over here are not my own. This is something what I have learnt by reading articles, blogs and solving CTFs SUID - Set User ID The binaries which has suid enabled, runs with elevated privileges. Suppose you are logged in as non root user, but this suid bit enabled binaries can run with root privileges. How does a SUID Bit enable binary looks like ? -r- s r-x---  1 hack-me-bak-cracked hack-me-bak         7160 Aug 11  2015 bak How to find all the SUID enabled binaries ? hack-me-bak2@challenge02:~$ find / -perm -u=s 2>/dev/null /bin/su /bin/fusermount /bin/umount /usr/lib/openssh/ssh-keysign /usr/lib/eject/dmcrypt-get-device /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/bin/gpasswd /usr/bin/newgrp /usr/bin
Read more

Bluetooth Low Energy : Build, Recon,Enumerate and Attack !

Introduction In this post I will try to share some information on bluetooth low energy protocol. Bluetooth Low Energy ( BLE ) is Bluetooth 4.0.It has been widely used in creating "smart" devices like bulbs that can be controlled by mobile apps, or electrical switches that can be controlled by mobile apps. The terms Low Energy refers to multiple distinctive features that is operating on low power and lower data transfer. Code BLE Internals and Working The next thing what we need to know is a profile. Now every bluetooth device can be categorized based on certain specification which makes it easy. Here we will take a close look into two profiles of Bluetooth which is specifically designed for BLE. Generic Access Profile (GAP) - This profiles describes how two BLE devices defines discovery and establishment of connection with each other. There are two types of data payload that can be used. The Advertising Data Payload and Scan Response Payload . The GAP uses br
Read more