Navigation



Cross Site Scripting (XSS)

Last updated: July 11, 2010 | 14,927 views

Cross Site Scripting, or know as XSS, is the most common basic web hacking technique… and harmless, as many would say… but on this matter I don’t really agree, that’s why I wrote this article.

About
XSS as I knew it is a very abstract definition for JavaScript injection, or at least this is what I have thought until reading RSnake’s website [speak about it a bit later]…
In fact XSS is more than JavaScript injection, because we can modify a page entire structure through XSS, not only create some actions…
In a small definition: XSS=JavaScript+HTML

The Call Of Javascript
Even if XSS is more than just JavaScript, you will have to basically have some JavaScript knowledge before you can feel the real taste of cross site scripting. For the ones who don’t know JavaScript I recommend them http://www.javascript.com… After learning the basics of this wonderful scripting language, you will be ready to go…

Info: did I mention that Java script was developed by Netscape, and at the beginnings had the name LiteScript?

Posibilities
With XSS you can do “extreme” stuff.. let me explain you in a small amount of words what you can do…. the most simple thing is to redirect the current page to one you like… an illustrative example:

Also you could do something like popping up the cookie:

And if you know a little php you could create a page that save’s data received via get and stores them in a file/database…

Also there are more possibilities with XSS, you just need some creativity…

More XSS
I have found a website where I have learned much about XSS… there is also a little script which encodes the normal text to ASCII, hex, decimal and Base64… also the different types of attacks are shown on which browsers there are available… check out Rsnake’s page on XSS: ha.ckers.org/xss.html

Also a great XSS database can be found at: securityfocus

Share1
Tweet
Share
Buffer
WhatsApp
Email
1 Shares
Posted in: Hacking News, Web Hacking

, , , , ,


Latest Posts:


HELK - Open Source Threat Hunting Platform HELK – Open Source Threat Hunting Platform
The Hunting ELK or simply the HELK is an Open-Source Threat Hunting Platform with advanced analytics capabilities such as SQL declarative language, graphing etc
November 6, 2020 - 130 Shares
trape - OSINT Analysis Tool For People Tracking Trape – OSINT Analysis Tool For People Tracking
Trape is an OSINT analysis tool, which allows people to track and execute intelligent social engineering attacks in real-time.
November 3, 2020 - 178 Shares
Fuzzilli - JavaScript Engine Fuzzing Library Fuzzilli – JavaScript Engine Fuzzing Library
Fuzzilii is a JavaScript engine fuzzing library, it's a coverage-guided fuzzer for dynamic language interpreters based on a custom intermediate language.
October 22, 2020 - 74 Shares
OWASP APICheck - HTTP API DevSecOps Toolset OWASP APICheck – HTTP API DevSecOps Toolset
APICheck is an HTTP API DevSecOps toolset, it integrates existing tools, creates execution chains easily and is designed for integration with 3rd parties.
October 13, 2020 - 106 Shares
trident - Automated Password Spraying Tool trident – Automated Password Spraying Tool
The Trident project is an automated password spraying tool developed to be deployed on multiple cloud providers and provides advanced options around scheduling
October 7, 2020 - 86 Shares
tko-subs - Detect & Takeover Subdomains With Dead DNS Records tko-subs – Detect & Takeover Subdomains With Dead DNS Records
tko-subs is a tool that helps you to detect & takeover subdomains with dead DNS records, this could be dangling CNAMEs point to hosting services and more.
September 24, 2020 - 130 Shares


4 Responses to Cross Site Scripting (XSS)

  1. RSnake June 22, 2006 at 3:23 pm #

    Very cool, backbone! This is a good introductory guide to what XSS is. The XSS Cheat Sheet is really not designed for the novice, so this is a good primer before looking at my page. Thanks for the link!

    RSnake

  2. Chris Jackson June 22, 2006 at 4:20 pm #

    Also check out http://www.youfucktard.com/blog/. This is an excelent source for examples…

  3. Gouki June 22, 2006 at 4:40 pm #

    Nice post (-;

  4. backbone June 23, 2006 at 12:32 pm #

    thanks guys… this article was ment to be an introduction to XSS, and not anything else…