Sign in or Sign up

XSS BASICS! STEP BY STEP TUTORIAL!
Started by Caiky


Rate this topic
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5


7 posts in this topic
[NS]Caiky Offline
That one girl who writes tutorials
***


NulledSystems
Posts: 80
Threads: 17
Joined: Mon Oct 2017
Reputation: 6

CZPoints: 83 CZP
CoolContributorDiamondDonator
Star  10-22-2017, 07:14 AM -
#1
Hi


Finding a Vulnerable Website

Targeting a certain website when using XSS is tedious work. You must go to every single page of the website to be able to find just one vulnerable page. Because of that, we will just find random vulnerable websites on google!
You would put a dork into google, such as 
Hidden Content
You must register or login to view this content.

So, in the google URL bar, you would type inurl: insertdorkhere to find a vulnerable website. After searching google for a vulnerable page, go to it, and find some sort of input field such as a password/username, search, etc. Lets just type in "Caiky" without the quotes.

 After we press enter and wait for the response, we can see in this case that it says "Hello Caiky." Lets see if the website "sanitizes" our code that we inject into the website. Enter in <script> and press enter. Now lets go ahead and open up inspect element, and find where that "Hello <script>" is.
It can be a large amount of different things, but in our case it will look like
Hidden Content
You must register or login to view this content.

Now, if <script> stays the exact same, that means the website does not sanitize! If they did, it would look something like this: 

Hidden Content
You must register or login to view this content.
 
This means this page is completely vulnerable to XSS!

Exploiting the Vulnerability.

Now its time for the fun stuff! We can enter any javascript we want into the box, and it will run. For an example, if we enter the javascript from my DIY Mine on Computers Through a Website tutorial, we can mine on anyone who inputs that code. Obviously this isn't the best for mining, but this is just a non-persistent XSS attack. This still has thousands of useful malicious scripts we can inject, but mining would be useless.

Persistent or Stored XSS will stay on the page you put the script on. This is where coinhive's miner truly comes in strong.
Imagine a forum post that is vulnerable. Any person who visits that post will have their browser infected with the miner until they close it, which personally I almost always have a browser window open. If I got coinhive's miner injected into my browser, off my computer alone you would make $1-2 a day. One computer. $1-2 a day. If you target forums or websites that normally have visitors with good computers, with just 20 infections you could be making upwards of $20 a day.

Of course, if you are able to find some sort of exploit where you can just download a file onto a person's computer and run it without their knowledge somehow, you can inject that javascript into a website and get infect after infect for your botnet, RAT, or other malicious software. We can steal the identity of people visiting the website and sensitive data, such as credit card details or accounts. You can bypass restricted areas of a website, such as VIP or donor only sections. You can deface the website, mine, DOS skid xd, or even just completely hijack their computer.



End

I'm not responsible for whatever you do with this yadda yadda yadda made for the community of Corrupt Zone.

Hope you guys enjoyed! Leave a post if you found this useful, it motivates me to make more tutorials  Girl_pinkglassesf
All my HQ tutorials can be found here. Click me! <3
Donate some BTC if you like my stuff <3 1krWpnAG4NNBJyfYWBBKuurgywbPGNdL3
Xpad Offline
Junior Member
**


Registered
Posts: 8
Threads: 0
Joined: Sat Oct 2017
Reputation: 0

CZPoints: 0 CZP
10-22-2017, 11:32 PM -
#2
Thank u hq boas was looking for a tut
Cremate Offline
Banned


Posts: 7
Threads: 0
Joined: Wed Oct 2017

CZPoints: 0 CZP
10-23-2017, 02:04 PM -
#3
thanks now i can css my hack accont
Dox Offline
Cyber Security Student
***


Contributor
Posts: 414
Threads: 125
Joined: Mon Oct 2017
Reputation: 6

CZPoints: 136 CZP
OnFireContributor
10-23-2017, 06:07 PM -
#4
Pretty fucking HQ post my dude.
Contact E-Mail: [email protected]
BTC Address: 1JmJrbmQn4Bg24r68bSyZ7TxNZGad3iPWM
drillbyte Offline
~# Contributor #~
***


Contributor
Posts: 60
Threads: 17
Joined: Thu Oct 2017
Reputation: 0

CZPoints: 40 CZP
Contributor
10-24-2017, 07:45 AM -
#5
Thanks for this.
Have another idea for you.
alextheguyuwant Offline
Junior Member
**


Registered
Posts: 1
Threads: 0
Joined: Mon Nov 2017
Reputation: 0

CZPoints: 0 CZP
11-20-2017, 11:17 PM -
#6
Hidden? Post to reply?!?!?! ;(
skidly Offline
FUCKING METAL
****


Diamond
Posts: 86
Threads: 23
Joined: Mon Nov 2017
Reputation: 4

CZPoints: 151 CZP
ContributorDiamondDonatorCool
11-20-2017, 11:24 PM -
#7
Thanks, lassie. I'll put this to good use.
[Image: RM015OI.jpg]
Jax Offline
Junior Member
**


Registered
Posts: 38
Threads: 7
Joined: Sat Dec 2017
Reputation: 0

CZPoints: 41 CZP
12-05-2017, 02:14 AM -
#8
Cheers for this, going to try it out now! <3
Social Media Manager & Graphic Designer
PM for inquiries.




Users browsing this thread: 1 Guest(s)