I’ve been talking with Hackathology and he was having trouble understand the context of certain XSS attacks, so I decided to write him a quick PHP document which creates vulnerable variables and examples. The document has links which perform the injections on itself, I didn’t have IE handy to test so forgive me if the IE examples don’t quite work but hopefully they should.
So if you’re looking to learn how to protect your site against XSS or want to know how to perform pen testing then please download and run the document on a local testing server. Please don’t run it on a live site because it obviously contains security holes. Note this document was intended for people learning, so any hardcore hackers will probably not find anything of interest.
Hope it helps, download the document here:-
XSS demos
Comments 13
Thanks for this, it really helped me understand better the vectors for the strange examples.
Posted 01 Oct 2007 at 8:27 pm ¶Hi!
Nice one! Just to mention - Kishor once created the XSS in eXceSS tool which is also great for learning. Maybe you like to take a look here:
http://h4k.in/xssinexcess
Greetings,
Posted 01 Oct 2007 at 9:51 pm ¶.mario
@Joshua
No problem I’m glad I helped
I might do another example soon with some more advanced stuff so stay tuned.
@Mario
Excellent link thanks
Posted 01 Oct 2007 at 10:23 pm ¶@Gareth:
Gareth, as always, comes up with another interesting, yet simple post. hehe
@.Mario:
Posted 02 Oct 2007 at 8:56 pm ¶Thanks for the link.
BTW, is there any story behind the handle <b>.mario</b>?
<META HTTP-EQUIV=”Link” Content=”<http://ha.ckers.org/xss.css>; REL=stylesheet”>
Posted 18 Mar 2008 at 4:11 pm ¶What’s the point? sigh
Posted 18 Mar 2008 at 4:24 pm ¶“<META HTTP-EQUIV=”Link” Content=”<http://ha.ckers.org/xss.css>; REL=stylesheet”>”
LOL
Posted 19 Mar 2008 at 5:29 am ¶may i ask.. how to make this document work?
Posted 18 Jun 2008 at 5:00 pm ¶@lakye
You need PHP and a web server, you can use IIS on windows or XAMPP [1]
On the mac it comes built in with Apache and PHP but there’s a nice app that lets you run it in the applications folder called MAMP [2]
http://www.apachefriends.org/en/xampp.html [1]
http://www.mamp.info/en/mamp.html [2]
Once you have those installed the examples should work when you copy the files into the web document root.
Posted 18 Jun 2008 at 5:45 pm ¶<script>alert(”hi”)</script>
Posted 06 Apr 2009 at 7:53 am ¶“><script>alert(”hi”)</script>
Posted 06 Apr 2009 at 7:53 am ¶@assa
Hi your IP is 76.254.28.97
Posted 06 Apr 2009 at 8:11 am ¶Why do you tell assa the IP address is she trying to take down the site?
Posted 15 Dec 2009 at 5:03 am ¶Post a Comment