Hey everyone, I hope you all are good. In this article, we will be discussing about what cross site scripting is and how we hack websites using this cross site scripting! If you are very new to website hacking, then i recommend you to read this awesome “HTML Injection” here : https://bepractical.tech/website-hacking-with-html/

So let’s begin our journey to become a pro!

INTRODUCTION

what cross site scripting is,what cross site scripting is,what cross site scripting is

Let’s first understand what is cross site scripting!

According to OWASP, cross site scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. You can read more about it here: https://owasp.org/www-community/attacks/xss/

Now let us understand this in simple terms. Cross site scripting is a web hacking technique that can allow any attacker/hacker to embed their own JavaScript code into the webpage. Now you might be thinking, What can we do by embedding a JavaScript code in a webpage? Well, you can do a hell lot of damage to the website if that website is vulnerable(weak) to cross site scripting. Basically, every website’s soul is JavaScript. JavaScript can be used to modify/control any part of a website.

Still didn’t understood what cross site scripting can do? If yes then i got you buddy????

Let’s take an example. Suppose you have created an e commerce website for your start-up business. The user can login, signup, can buy stuffs, can add items to their cart etc. Now the attacker finds out that your site is vulnerable to cross site scripting and he embed this small JavaScript in the website:

<script>document.location.href=”https://evil.com”</script>

Now anyone who will try to visit your website will automatically redirected to https://evil.com! That’s crazy right! The attacker can basically do whatever he/she wants to with your users.(THEY CAN EVEN HACK THEIR ACCOUNTS TOO!!)

I think now you can see what is the impact of cross site scripting! Let’s jump to the next section of the article

WHERE TO LOOK FOR CROSS SITE SCRIPTING?

Any place where the website accepts inputs from the user and then renders it somewhere may be vulnerable to cross site scripting. For example:

-> Any input fields like Username, Password, Login, Signup, Comments etc.

-> GET parameters like https://test.com/?movies=batman etc

-> Headers

etc

We’ll understand this with more clarity in the next section of this article.

HOW SHOULD I FIND IT?

We are going to follow the steps below:

1- Find any input fields in the website.

2- We will try to provide JavaScript code over there.(Like <script>alert(“Hacked”)</script>)

3- If we see an alert pop up, then we found an cross site scripting vulnerability!

4- If not, then try with other inputs. Never give up!!

PRACTICAL DEMONSTRATION

Finally, we are ready to see a practical example of cross site scripting! Let’s visit this website: http://testphp.vulnweb.com

As we can see, there is a search functionality which has an input field. Great! Now let us try to search for anything.

Cool! Faiyaz is getting reflected back to us. We can safely assume that this website is taking our input and reflecting back to us on the webpage. Now, let’s try to pass <script>alert(1)</script> inside this search value.

what cross site scripting is

As you can see, we successfully got an alert(1) pop up!!! This means that this site is vulnerable to cross site scripting.

CROSS SITE SCRIPTING IN REAL WORLD

https://faiyazhacks.medium.com/story-of-an-encoded-xss-e83c7ea9e02

https://faiyazhacks.medium.com/how-i-found-xss-in-private-program-9cedcc7a84a