I had done a lot of internet search for XSS attack and how it is done .There are plenty of articles and websites which give detailed explanation of XSS attack but i found two problems with the majority of the articles.1st Too much Technical and 2nd Lack of live examples.I may be able to understand the concept but where will i test it?.I don't want to test it in a some live websites owned by somebody else.I don't want to be in trouble by carrying out XSS attack on websites for learning.
So I decided to write an article on XSS Attack with a live example ,Where the readers can test it without any fear.
Cross Site Scripting or XSS attack is a classic web hacking technique ,which is very simple to execute and effective enough to create problems for the webmasters and users.
Cross site scripting is a vulnerability found in web applications or websites which allow user to input malicious code into the webpages viewed by others. This malicious code can be an HTML code of client side scripting code.
Cross site scripting is a vulnerability found in web applications or websites which allow user to input malicious code into the webpages viewed by others. This malicious code can be an HTML code of client side scripting code.
I just said that XSS is a method of inputting malicious code to web pages which is viewed by others. I would like to expand this statement with an example. Let us consider a web page where a user can input a comment .For example YouTube or blog post etc. Here the user is given an input (comment box) and it saves in that web page so anyone who views this page can see that comment. How does it work?. In simple words ,the input we are giving is stored in some place and then retrieved and showed in that webpage. This storing mechanism is called databases. .This is how we see comments by yourself and others in that webpage. So the function is simple ,Whatever you enter is stored and then retrieved and showed.Ok this is the basic concept of a dynamic page.
Then I said about some client side scripting languages .What is this thing?. Best example for this is java script.In a typical web application we use two types of coding mechanism 1st one is server side scripting and 2nd is client side scripting. In simple words Server side scripting codes runs on the web servers and client side codes on the client side or browsers.As we said when we input a comment ,it will get stored in the database.This function is achieved using some server side scripting codes.An example is php.So what php do is ,It collects the user input and then stores it in a database .This is happening in the webserver end so it is called as server side scripting.Now you may have seen alert box coming after successful inputting of a comment.This alert box is typically achieved using a client side scripting code (which runs on client side system )eg : javascript .
What happens if i input a scripting code ,instead of a normal comment .What happens if that code is a client side scripting code.The code I have inputted will get stored in the database and displayed along with other comments.Since I have entered a client side scripting code whenever a user view this page this code will get executed in the client side.This is Cross site scripting attack.
For example in the comment field I am inserting a javascript which shows an alert box .This script will get stored in the database and in that page.This is a malicious code insertion.So whenever a user visit this page that code is executed and an alert is shown to the user.
You may think what is the danger behind showing an alert.Imagine i just said about a code which shows an alert.What about if i am inserting a code which can steal the user cookies.Since these codes are executed in client sides when a user visit this page ,code will get executed in the client side and their cookies are stolen.Also if the inputted code is for redirection ,when the user visit the page they will get automatically redirected to the pages defined in the codes.This will create problem and danger.
Cross site scripting attack is large in proportion when compared to other website hacking techniques.The main reason is ,it is very simple to execute this attack and lot of websites have this vulnerability.
Now the second thing I promised .A live example or a platform to test and understand XSS attack.
For this I have created a simple web page which works as said above.It has two pages one is to input data and other page shows the inputted data by different users.
I
On the first page whatever you the users can input name,phone number and comment.When you click save it will take you to another page which shows all the inputs from all the users.Now I am going to execute a simple XSS attack.
In the comment field, I am inserting a Java script instead of a comment.
<script> alert("You Have Been Hacked.Get Out Of here!"); </script>
This script will show an alert box when executed.Since my website is vulnerable to XSS attack what happens is ,when i click save this script is gets saved in my database.So when someones visit my second page (which shows all the inputted data) , this script is also fetched from database and displayed in the same.That means after inserting this script when a user visit my second page ,an alert is shown to them " You have been hacked .Get out of here".I have successfully executed an xss attack.
You can also try XSS attack and understand how it is happening by your own.
Here is the link.
http://opentech4u.0fees.net/index.php
http://opentech4u.0fees.net/show.php (2nd page)
Please delete data after you are done. Link is
available in the first page.
Preventing XSS
Attack.
Preventing against
this attack is also simple as executing. Web programmers have to implement input
validation in each field .That is for example ,programmers can validate the
input from comment field. If the inputs contain any kind of special characters
like <script> or html tags etc. .They can either reject those inputs
Or modify those inputs before saving into the Database. You can also use any
Website vulnerability scanners ,which scans your web application fully for xss attack and sql injection
Vulnerability. These software’s will show the details of vulnerabilities found on your
Webpages and remedies for it.
Thank you .Enjoy
Hacking.
Posts
