Sunday, 27 January 2013

XSS Attack

When I saw the comment posted by an Anonymous in my previous article SQL Injection, I taught yes I should talk about another injection attack called Cross Site Scripting Attack or the XSS or the HTML Injection attack...! But I once again say that I'm not a hacker and I'm not responsible If some one miss uses the contents of my Blog.
 Before coming to the topic my words to the one  who loves hacking, "Please note no hacker says that he is a hacker and givers out the clues related to his works...!" yes it is concerned with that Anonymous, who described himself as a Grey Hat hacker.


Cross-site scripting (XSS) or the Markup injection is a type of computer security vulnerability typically found in Web applications. Due to breaches of browser security, XSS enables attackers to inject client-side script (including ActiveX, Java, VBScript, Flash, or even HTML scripts) into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007


"Cross-site scripting (XSS) Markup injection is an attack where the attacker inserts malicious client-side code into the targeted webpages."


Types of XSS attacks:

i. Non-persistent
The Persistent or Stored XSS attack occurs when the malicious code submitted by attacker is saved by the server in the database, and then permanently it will be run in the normal page.
Here is the example for  XSS Vulnerability.

ii. Persistent
The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw: it occurs when the data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages returned to other users in the course of regular browsing, without proper HTML escaping.
As Persistent attack is very dangerous and against the cyber law of my Nation I can't give any examples for that..., SORRY





                   What a hacker can do...?


i. Thanks to Cross-Site Scripting vulnerabilities, a hacker can use this method to recover data exchanged between the user and the website concerned. The code injected in the web page can be used to display a form to fool the user and get him to enter authentication information, for example.

ii. Moreover, the injected script may redirect the user to a web page controlled by the hacker and possibly featuring the same graphic interface as the compromised site in order to fool the user.

iii. In such a context, the trust-based relationship that existed between the user and the website is fully compromised.
 

              How to avoid...?

Users can protect themselves against XSS attacks by configuring their browsers to prevent the execution of script languages. In reality, this solution is often much too restrictive for the user since many sites refuse to run correctly when there is no possibility of dynamic code execution.

note: Internet Explorer automatically blocks the execution of script languages.

The only viable solution for preventing Cross-Site Scripting attacks is to design non-vulnerable websites. To do so, the designer of a website should:

    * Verify the format of data entered by users;
    * Encode displayed user data by replacing special characters with their HTML equivalents.

The term "sanitation" refers to all actions that help make data entered by a user secure.

Here is a small example of XSS Vulnerability as suggested by my friend plz do check it out....
and later don't forget to remove the script after ? symbol in the addressbar and check out the real webpage...! 

Quick Get Started to Exploit XSS Vulnerability for fun, as hacking is  just a game to me and I'm not a hacker...!

Step 1: Finding Vulnerable Website:
  You can use Google Dork to find out the target or can use trial and error method
   simply type inurl:.php?id=  in google    

Step 2 : Testing  Vulnerability in the Website:

Type i.

 Once we found the input field, let us try to put some string inside the field, for instance let me    input a html tag like,
 <img src="http://blog.twinbytes.ca/wp-content/uploads/2012/11/wordpress-hacked.jpg" />.
 If it will display the image on the web page then you can F**K it...!

 Type ii.           
  The best way is you can directly insert the Client side scripting codes in the address bar directly...!

Step 3 : Enjoy the visit:
So once you have found the vulnerability you can insert the Cookie steel codes, to steel the sessions details of a victim visiting the site or you can permanently redirect the clients to other websites or you can also make the website unavailable by inserting infinite loop alert on the page load...!

"Never make use of someones weakness.., be a cyber warrior by helping in resolving the Vulnerability..."

Never forget a true hacker always follow the rule of  Anonymity on Web...!

Add to Google Technology Blogs
Blog search
indiae.in
we are in
Make money Paisa Live
Like us on Facebook

6 comments:

  1. XSS is amazing dude...!
    Even I could play with it.... :)
    Yes hacking is fun love U...!

    ReplyDelete
    Replies
    1. I Love U 2 only if u use these things for good purpose...!
      Have a Good Day :)

      Delete
  2. This post inspired me abt XSS and I'm sharing my beginner attack with u...,

    http://www.sushimonsters.com/review/search/index.php?cmd=search&words=%3Chtml%3E%3Cbody%20onload=%22alert%28%22I%27m%20fucked%22%29%22%3E%3Cimg%20src=%22http://cdn.memegenerator.net/instances/400x/23889688.jpg%22%20/%3E%3C/body%3E%3C/html%3E

    ReplyDelete
    Replies
    1. Here some more...!!!

      http://www.napfa.org/search/index.asp?F_KEYWORDS=%3Chtml%3E%3Cbody%20%3E%3Cimg%20src=%22http://rgh.cc/albums/userpics/10245/Asshole_art.jpg%22%20/%3E%3Cscript%3Efor%28i=1;i%3C100;i++%29%20alert%28%22Smells%20Fucking%20%22%20%29;%3C/script%3E%20%3C/body%3E%3C/html%3E

      Delete
    2. Well Assy and Anonymous you did a grate job...,
      Try all the other possibilities of XSS attack. Brush up the concepts of PHP, I'll be back with COOKIE STEAL.., shortly

      Delete
  3. I used to be recommended this blog by my cousin. I am no longer certain whether or
    not this submit is written by way of him as nobody else understand
    such specific approximately my difficulty.
    You're incredible! Thank you!

    My web page - Colo Cleanse Diets

    ReplyDelete

Featured post

Common Errors in English

Although English is a foreign language yet its important to learn in our country, If you needs to survive just out of your state now En...