XSS attacks a practical example
Monday, 1 October 2007
I’ve been talking with Hackathology and he was having trouble understand the context of certain XSS attacks, so I decided to write him a quick PHP document which creates vulnerable variables and examples. The document has links which perform the injections on itself, I didn’t have IE handy to test so forgive me if the IE examples don’t quite work but hopefully they should.
So if you’re looking to learn how to protect your site against XSS or want to know how to perform pen testing then please download and run the document on a local testing server. Please don’t run it on a live site because it obviously contains security holes. Note this document was intended for people learning, so any hardcore hackers will probably not find anything of interest.
Hope it helps, download the document here:-
XSS demos
No. 1 — October 1st, 2007 at 8:27 pm
Thanks for this, it really helped me understand better the vectors for the strange examples.
No. 2 — October 1st, 2007 at 9:51 pm
Hi!
Nice one! Just to mention – Kishor once created the XSS in eXceSS tool which is also great for learning. Maybe you like to take a look here:
http://h4k.in/xssinexcess
Greetings,
.mario
No. 3 — October 1st, 2007 at 10:23 pm
@Joshua
No problem I’m glad I helped 🙂 I might do another example soon with some more advanced stuff so stay tuned.
@Mario
Excellent link thanks
No. 4 — October 2nd, 2007 at 8:56 pm
@Gareth:
Gareth, as always, comes up with another interesting, yet simple post. hehe 🙂
@.Mario:
Thanks for the link.
BTW, is there any story behind the handle <b>.mario</b>? 😉
No. 5 — March 18th, 2008 at 4:11 pm
<META HTTP-EQUIV=”Link” Content=”<http://ha.ckers.org/xss.css>; REL=stylesheet”>
No. 6 — March 18th, 2008 at 4:24 pm
What’s the point? sigh
No. 7 — March 19th, 2008 at 5:29 am
“<META HTTP-EQUIV=â€Link†Content=â€<http://ha.ckers.org/xss.css>; REL=stylesheetâ€>”
LOL
No. 8 — June 18th, 2008 at 5:00 pm
may i ask.. how to make this document work?
No. 9 — June 18th, 2008 at 5:45 pm
@lakye
You need PHP and a web server, you can use IIS on windows or XAMPP [1]
On the mac it comes built in with Apache and PHP but there’s a nice app that lets you run it in the applications folder called MAMP [2]
http://www.apachefriends.org/en/xampp.html [1]
http://www.mamp.info/en/mamp.html [2]
Once you have those installed the examples should work when you copy the files into the web document root.
No. 10 — April 6th, 2009 at 7:53 am
<script>alert(“hi”)</script>
No. 11 — April 6th, 2009 at 7:53 am
“><script>alert(“hi”)</script>
No. 12 — April 6th, 2009 at 8:11 am
@assa
Hi your IP is 76.254.28.97
No. 13 — December 15th, 2009 at 5:03 am
Why do you tell assa the IP address is she trying to take down the site?
No. 14 — June 16th, 2010 at 6:31 pm
Sorry, it’s irresistable. 🙂
<img src=”alert(‘Hello’); />
No. 15 — June 16th, 2010 at 6:34 pm
@Nayan
Hehe you could at least try something more recent 😛