When I saw the comment posted by an Anonymous in my previous article SQL Injection, I taught yes I should talk about another injection attack called Cross Site Scripting Attack or the XSS or the HTML Injection attack...! But I once again say that I'm not a hacker and I'm not responsible If some one miss uses the contents of my Blog.Before coming to the topic my words to the one who loves hacking, "Please note no hacker says that he is a hacker and givers out the clues related to his works...!" yes it is concerned with that Anonymous, who described himself as a Grey Hat hacker.
Cross-site scripting (XSS) or the Markup injection is a type of computer security vulnerability typically found in Web applications. Due to breaches of browser security, XSS enables attackers to inject client-side script (including ActiveX, Java, VBScript, Flash, or even HTML scripts) into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007
Types of XSS attacks:
The Persistent or Stored XSS attack occurs when the malicious code submitted by attacker is saved by the server in the database, and then permanently it will be run in the normal page.
Here is the example for XSS Vulnerability.
The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw: it occurs when the data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages returned to other users in the course of regular browsing, without proper HTML escaping.
As Persistent attack is very dangerous and against the cyber law of my Nation I can't give any examples for that..., SORRY
What a hacker can do...?
i. Thanks to Cross-Site Scripting vulnerabilities, a hacker can use this method to recover data exchanged between the user and the website concerned. The code injected in the web page can be used to display a form to fool the user and get him to enter authentication information, for example.
ii. Moreover, the injected script may redirect the user to a web page controlled by the hacker and possibly featuring the same graphic interface as the compromised site in order to fool the user.
iii. In such a context, the trust-based relationship that existed between the user and the website is fully compromised.
How to avoid...?
Users can protect themselves against XSS attacks by configuring their browsers to prevent the execution of script languages. In reality, this solution is often much too restrictive for the user since many sites refuse to run correctly when there is no possibility of dynamic code execution.
note: Internet Explorer automatically blocks the execution of script languages.
The only viable solution for preventing Cross-Site Scripting attacks is to design non-vulnerable websites. To do so, the designer of a website should:
* Verify the format of data entered by users;
* Encode displayed user data by replacing special characters with their HTML equivalents.
The term "sanitation" refers to all actions that help make data entered by a user secure.
Here is a small example of XSS Vulnerability as suggested by my friend plz do check it out....
and later don't forget to remove the script after ? symbol in the addressbar and check out the real webpage...!
Quick Get Started to Exploit XSS Vulnerability for fun, as hacking is just a game to me and I'm not a hacker...!
Step 1: Finding Vulnerable Website:
You can use Google Dork to find out the target or can use trial and error method
simply type inurl:.php?id= in google
Step 2 : Testing Vulnerability in the Website:
Once we found the input field, let us try to put some string inside the field, for instance let me input a html tag like,
<img src="http://blog.twinbytes.ca/wp-content/uploads/2012/11/wordpress-hacked.jpg" />.
If it will display the image on the web page then you can F**K it...!
The best way is you can directly insert the Client side scripting codes in the address bar directly...!
Step 3 : Enjoy the visit:
So once you have found the vulnerability you can insert the Cookie steel codes, to steel the sessions details of a victim visiting the site or you can permanently redirect the clients to other websites or you can also make the website unavailable by inserting infinite loop alert on the page load...!
"Never make use of someones weakness.., be a cyber warrior by helping in resolving the Vulnerability..."
Never forget a true hacker always follow the rule of Anonymity on Web...!