XSS attacks a practical example

I’ve been talking with Hackathology and he was having trouble understand the context of certain XSS attacks, so I decided to write him a quick PHP document which creates vulnerable variables and examples. The document has links which perform the injections on itself, I didn’t have IE handy to test so forgive me if the IE examples don’t quite work but hopefully they should.

So if you’re looking to learn how to protect your site against XSS or want to know how to perform pen testing then please download and run the document on a local testing server. Please don’t run it on a live site because it obviously contains security holes. Note this document was intended for people learning, so any hardcore hackers will probably not find anything of interest.

Hope it helps, download the document here:-
XSS demos

15 Responses to “XSS attacks a practical example”

  1. Joshua Grainger writes:

    Thanks for this, it really helped me understand better the vectors for the strange examples.

  2. .mario writes:

    Hi!

    Nice one! Just to mention – Kishor once created the XSS in eXceSS tool which is also great for learning. Maybe you like to take a look here:

    http://h4k.in/xssinexcess

    Greetings,
    .mario

  3. Gareth Heyes writes:

    @Joshua

    No problem I’m glad I helped 🙂 I might do another example soon with some more advanced stuff so stay tuned.

    @Mario

    Excellent link thanks

  4. Bipin 3~ Upadhyay writes:

    @Gareth:
    Gareth, as always, comes up with another interesting, yet simple post. hehe 🙂

    @.Mario:
    Thanks for the link.
    BTW, is there any story behind the handle <b>.mario</b>? 😉

  5. ";alert('XSS');// writes:

    <META HTTP-EQUIV=”Link” Content=”<http://ha.ckers.org/xss.css&gt;; REL=stylesheet”>

  6. Gareth Heyes writes:

    What’s the point? sigh

  7. fragge writes:

    “<META HTTP-EQUIV=”Link” Content=”<http://ha.ckers.org/xss.css&gt;; REL=stylesheet”>”

    LOL

  8. lakye writes:

    may i ask.. how to make this document work?

  9. Gareth Heyes writes:

    @lakye

    You need PHP and a web server, you can use IIS on windows or XAMPP [1]
    On the mac it comes built in with Apache and PHP but there’s a nice app that lets you run it in the applications folder called MAMP [2]

    http://www.apachefriends.org/en/xampp.html [1]
    http://www.mamp.info/en/mamp.html [2]

    Once you have those installed the examples should work when you copy the files into the web document root.

  10. assa writes:

    <script>alert(“hi”)</script>

  11. assa writes:

    “><script>alert(“hi”)</script>

  12. Gareth Heyes writes:

    @assa

    Hi your IP is 76.254.28.97

  13. jojo writes:

    Why do you tell assa the IP address is she trying to take down the site?

  14. Nayan writes:

    Sorry, it’s irresistable. 🙂

    <img src=”alert(‘Hello’); />

  15. Gareth Heyes writes:

    @Nayan

    Hehe you could at least try something more recent 😛