Cross site scripting a new way for website hacking

I hope you have already heard about Cross Site Scripting known as XSS. Just go through this first . I have focussed on finding  an XSS hole and bypssing a filter.
XSS is a web application vulnerability  that occurs due to improper or no filteration of user's input . It enables the malicious attackers to inject client-side script into web pages. This is not something with which you are gonna deface a website or break in admin panel. This bug can be dangerous for users if found on any online forms . Basically you can do mainly two things that are stealing user sessions and injecting iframes. Actually this bug is basically exploited to harm the visitors rather than administrators.Okay Lets learn the approach to find XSS bugs.

You might have tried finding an XSS hole by inserting a script like this <script>alert('XSS')</script> in Search fields and hoping for a box to popup saying XSS. But its not always the way to find a XSS bug.

This example will make you everything clear.

Okay,  go to this URL

Lets Replace 'Overview' with any keyword . Say 'test' and hit enter

Now check the source code of page and search for keyword 'test' by using Ctrl+F and we can find that in the code.

 Carefully, see where it got inserted in the source code

<title>Chitkara Educational Trust > test</title>

Now lets replace the 'test' with  </title><h1>XSS</h1> and see what happens

Note- <h1> It is the html heading tag </h1></title><h1>XSS</h1>
We can see the keyword 'XSS' displayed on the webpage.

Lets again see the page source

We entered </title> to complete the title  tag ( <title>) and <h1>XSS</h1> is the actually html tag we wanted to see on the page.

 I hope it was a simple part and is clear to you.

Now Lets try to execute a javascript code <script>alert('XSS')</script>. A popup message box saying XSS should appear on the webpage.
Lets go to this URL</title><script>alert('XSS')</script>

But Nothing Happens !!!

Now check the source code again

See the slashes ( \ ) automatically inserted before the single quotes ( ' ) ,we entered.  Obviously,due to this our code didn't execute.This is a kind of filter that we need to bypass . 

Here we will be using a javascript built in function called String.FromCharCode() that is used to encode/decode strings. Now both these codes
<script>alert('XSS')</script> and <script>alert(String.fromCharCode(88, 83, 83))</script>
has the same function but we can see that THERE ARE NO QUOTES IN SECOND CODE.

Note: 88 and 83 are ASCII values for X and S respectively.  Visit this for more.

Finally, try this</title><script>alert(String.fromCharCode(88, 83, 83))</script> 

Yes, it worked.

So finally we have managed to execute a javascript :)
Cross site scripting a new way for website hacking Cross site scripting a new way for website hacking Reviewed by Aditya Joshi on 17:58:00 Rating: 5

No comments:

Share your problems but don't spam here

Powered by Blogger.