Hello There, Guest! Login Register
Logo
Dismiss this notice
MaDLeeTs is not responsible for any attacks that are carried out on networks, websites or servers.
MaDLeeTs staff members cannot be held responsible.
All information on this forum is for educational purposes only.


Simple Xss Tutorial For Newbies

  • 1 Vote(s) - 5 Average


12-31-2013, 10:19 PM #11
a_almisery Offline Junior Member **
Registered
Posts:22 Threads:0 Joined:Dec 2013 Reputation: 0
Mood: None
nice share bro .. keep up

01-10-2014, 02:43 AM #12
RYubaD Offline Always Learning **
Registered
Posts:1 Threads:0 Joined:Jan 2014 Reputation: 0
Mood: None
Nice post Smiley1

Learning.... Learning.... Learning....

07-05-2017, 02:23 AM #13
833M0L3 Offline Junior Member **
Registered
Posts:6 Threads:0 Joined:Jul 2017 Reputation: 0
Mood: None
(08-15-2013, 09:13 PM)Dr SniFF Wrote:  Hello MaDs!
This Is Introduction To XSS "Cross Site Scripting":



What is XSS?


Xss stands for Cross-site-Scripting and is a web hacking method where you inject

HTML or Javascript on the web-page. This attack can be done by submitting

queries into text boxes or simply in the URL. The result will be the website

reads your query and executes it. Xss is a very powerful method, it can be used

to steal someones cookies like you best friend, the Web-Administrator Or you
can use some

social-engineering to manipulate people to download a virus that you have

created. Such as a Botnet, RAT or even a keylogger. Xss can be a very powerful

attack method but can also be very mild. Most of the xss attacks are mild. You

can use an alert box to show that the site is vulnerable, you can do this to

show the admin that his site is vulnerable. I�m going to give you a few

examples of what xss can be used for and how powerful xss can be.


What is HTML?

HTML stands for Hypertext Markup Language, and is the main markup language in

websites. HTML is much like a programming language they are both languages,

that are used to create attributes and events. You can use HTML to create

forms, buttons, and other stuff that can be used in a web page. I highly doubt

you will ever encounter a website that does not contain even a slight amount of

HTML.


What is Javascript?First of all there is a HUGE difference between Javascript and Java. Java is a

programming language that are fairly similar to c++ and are used to create

games and applications. Javascript isn�t used nearly as much as HTML. It is

used more in applications outside of the website. Javascript can be an

incredibly useful language among with HTML and they are both two languages you

can�t get pass if you want to master XSS or hack websites.


Your first xss attack:

In this section i will teach you how to perform a XSS attack and how to find XSS

vulnerabilities. If you already know the basic of xss you can skip this part.

So where can you find xss vulnerabilities? They are found in search boxes,

url�s, signup forms etc. Basically in every text area where you can input

something.I will use this site as an example: http://www.leksikon.org/ .On the site
you can see a

search box, and that is where you are going to make your first xss attack.So

lets take the most used basic query of all time and paste it in the search box.

Code:
 

<script>alert("xss")</script>

 Normal
 0
 
 
 
 
 false
 false
 false
 
 EN-US
 X-NONE
 AR-SA
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 


 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 



/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:8.0pt;
mso-para-margin-left:0in;
line-height:107%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
That little script is HTML and will basically make an alert box saying xss. If you

get a pop up box saying �xss�, you have successfully performed your first xss

attack. You can make it saying something else by simply editing the part that

says �xss�. ex.

Code:
 

<script>alert(�you text goes

here�)</script>

 Normal
 0
 
 
 
 
 false
 false
 false
 
 EN-US
 X-NONE
 AR-SA
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 


 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 



/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:8.0pt;
mso-para-margin-left:0in;
line-height:107%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
But what if nothing happens? Don't worry that just means that the website have

taken some time to put a filter on it. That means they have installed a filter

that checks for malicious (dangerous) content, like HTML and Javascript. It

will therefore block the script and preventing it from executing. But

fortunately there are methods to bypass the filter. We can do that by

encrypting the script. We will be using a little function called

�String.FromCharCode�. It will encrypt the script into ASCII. An example of

this could be:

Code:
 

<script>alert(String.fromCharCode(88,83,83))</script>

 Normal
 0
 
 
 
 
 false
 false
 false
 
 EN-US
 X-NONE
 AR-SA
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 


 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 



/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:8.0pt;
mso-para-margin-left:0in;
line-height:107%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
That

script is doing the exactly same thing as this script:

Code:
<script>alert(�xss�)</script>



Hope You Find It Useful.









09-18-2017, 02:40 PM #14
Dr.Goatse Offline Junior Member **
Registered
Posts:15 Threads:2 Joined:Jul 2017 Reputation: 0
Mood: Stoned
if you click this won't edit






Forum Jump:


Users browsing this thread:1 Guest(s)