can i deface a site by xss

i found a site which has a xss hole….. i can pass the message with js script: <script>document.body.innerHTML="<style>body{visibility:hidden;}</style><div style=visibility:visible;><h1>xaxaxa</h1></div>";</script>

ok… but there a js code to deface the site…. i.e i can pass the message "xaxaxa" in the site through xss and every time i see the site the message "xaxaxa" ther is in the site….. or…. the xss it's only for cookies stealing???? any help????:D

if its a guestbook styler site wher you can add your input to the page, then it can cause a defacement.

if its a GET variable you're "exploiting" then obvioulsy it only applies to that page load.

may i suggest you start learning how websites work, i.e HTML, forms, POST/GET, databases etc before you start exploiting.

XSS is a lot more powerful that cookie stealing.

and please note HBH does not condone, support, or encourage defacing of innocent websites. If you are caught, or end up asking for help for this, not only will people not help you, but your account will get banned too.

you could include a script from another source. There are tons of stuff you can do with xss. There are xss shell, xss tunneling, cookie stealing but if you just want to deface the site then include an picture or something like that to cover the whole front page.

Cross site scripting can be used for tons of different things. Yes, you can deface a site using it, but you'd need to find a way to have the code saved directly to the site. A forum that doesn't filter HTML when people post is pretty good example. Finding a vulnerability in a search box won't cut it, which is why phishing and cookie stealing are more popular. Craft a specific URL for the target and send it over.

it's a search box… i know some things about xss js etc…. but i don;t know if i can deface the site through xss…

dovis wrote: it's a search box… i know some things about xss js etc…. but i don;t know if i can deface the site through xss… If it's a search box, then you're either exploiting a GET or POST variable, which means it's not permanent. Which also means you can't deface it because the data isn't saved anywhere. Why are you so intent on defacing sites anyway? If you've got an XSS hole, there are tons of more useful things that can be done.

using the code above i deface the site but when i reload the site without the script i din;t see the message…… i want the message remains in the site……:@

it's the GET…. what else can i do??? i want to show in the site ,that there is a xss whole???? any help????

have you tried e-mailing the web-master to let him know?

xssed.com

you can submit XSS urls.

as quoted on their website: Once the mirror has been validated and published, you should contact the webmasters of the affected web site and help them to fix the flaw.

dovis wrote: it's the GET…. what else can i do??? i want to show in the site ,that there is a xss whole???? any help???? Alright. That's enough of this. I thought we were clear. In order for the XSS (and the 'defacement') to be permanent, data needs to be saved to the page. Search boxes don't save anything to the page, so there is no way for you to deface it. A GET variable, as previously stated, can be used to phish, steal cookies, and a slew of other target-based attacks. You would need to get the target to click on your maliciously crafted URL in order for it to work because nothing is being saved to the site.

Oh, and I don't think he's looking to tell the webmaster about it. All he wants is the 'fame' that comes along with taking down a site.

[EDIT] I don't even bother submitting things to xssed.com anymore. By the time they check them, I've already contacted the webmaster and helped him fix the problem.

thanks a lot for the help… i found a xssshell and i try to work with it and i post the results … thanks for the advises…… :D

I give him three days till a warn/ban.

yours31f wrote: I give him three days till a warn/ban. You're working on one if you don't start being useful again (short-lived as that was).

Futility wrote: I don't even bother submitting things to xssed.com anymore. By the time they check them, I've already contacted the webmaster and helped him fix the problem.

Yeah, what are Kevin and Dimitris up to? :right: I sure miss the good old 'submit and it gets verified within a day'-style ^^

I got to a point where I wondered if the site was even operational. I submitted about 5-6 sites and none were ever accepted. So, I just quit going.