Skip to main content


This is a detailed guide to everything XSS.

What is XSS?
XSS stands for Cross Site Scripting. Sometimes it is called CSS however that is often confused with Cascading Style Sheets so XSS is the preferred term.
Cross Site Scripting is a means to take advantage of web applications that take user input but aren't filtered properly. This allows an attacker to inject HTML or other codes such as Javascript into the server to manipulate it in some way.

Different kinds of XSS
There are 3 traditional types of XSS attacks, however if you are inventive and understand all the workings behind XSS and the server then their are nearly limitless potentials.

1. DOM-Based Attack
A DOM-Based attack is a more advanced attack where the attackers payload (malicious script) is executed as a result of modifying the DOM Environment in the slave's browser by the original client side script, this causes the client side code to run in an unexpected manner.

2. Persistent XSS Attack
A persistent XSS attack is a method in which the attackers payload is permanent to the servers code and will remain there for every user to see until a server admin removes it.

3. Non-Persistent XSS Attack
A non-persistent XSS attack is a method in which the attackers payload is not permanent, meaning it doesn't effect the servers internal code. An example of this would be a link that has a Non-Persistent attack embedded into it.

How do we find a vulnerable server?
To find a server in which to do an XSS attack there are two main methods. You can use a Google search dork in which we google for common exploitations in servers. The other method is to read the actual .php code of the website (I will get into this later).

Here are some good examples of google dorks for an XSS attack.

inurl:pages/match_report.php?mid= pages/match_report.php?mid=    
inurl:/notice.php?msg= /notice.php?msg=    
inurl:/gen_confirm.php?errmsg= /gen_confirm.php?errmsg=    
inurl:/view.php?PID= /view.php?PID=    
inurl:/Property-Cpanel.html?pid= /Property-Cpanel.html?pid=    
inurl:/showproperty.php?id= /showproperty.php?id=  
inurl:/elms/subscribe.php?course_id= /elms/subscribe.php?course_id=  
inurl:/winners.php?year=2008&type= /winners.php?
inurl:/site_search.php?sfunction= /site_search.php?sfunction=    
inurl:/search.php?search_keywords= /search.php?search_keywords=  
inurl:/hexjector.php?site= /hexjector.php?site=  
inurl:/news.php?id= /news.php?id=  
To do this simply google one of these things and it will spit out a list of results that will be XSS vulnerable if proper filtration wasn't taken place.

Testing XSS vulnerable
To test whether or not the site you have found is vulnerable we need to attempt to inject some code into its server.

You can inject code in multiple ways. If there is a search bar you may inject the code right into there. You can inject the code into the url, for example, " GOES HERE". Or if you are attacking a forum you can try to inject the code into the body of a thread, this will execute the script when someone opens the thread.

Here is the base test that I use to test for vulnerabilities. Insert it into the website you are attacking.
If the webpage is vulnerable you should get a sort of "Pop-up" that says "Test". If you didn't get anything do not worry, that just means the server admin has placed filters to counter XSS attacks. I will get into bypassing these filters near the end.

Assuming you have found a XSS vulnerable site you can now attack it.
For eg. if you input the following above string, everyone will get an alert when they view the page saying "Hi! Abh ROCKS!"

<script>alert("Hi! Abh ROCKS!")</script>
You can also use a redirect script to redirect the viewer to your deface page, making the page appear defaced.
<script>window.location = ""</script>
One of the main reasons to XSS attack is to steal cookies. However i will not get into that in this tutorial because it involves setting up your own server in which to host your cookie stealer php script so you can inject it into the victims server. If you would like me to do a tutorial on that feel free to leave a comment and I may get around to it.

Vulnerabilities by examining php code
Because I have never seen a tutorial on this kind of XSS attacking I figured I would share it as well. We can read the php code to find other unfiltered variables to exploit or to diagnose what kind of filtration is being used on a specific variable so we may bypass it.

If we look at the Hackforums newthread.php url for example it shows "newthread.php?fid=" the world that comes after the "?" and before the "=" is the variable that is being modified. And just because that is the only variable it shows doesn't mean its the only variable that we can alter.

I will be talking about diagnosing and bypassing 3 main types of filtration, after that you will have to take what you have learned and apply it to other filter systems.
-str_replace() filter
-Bypassing filters using data URIs

Lets imagine we have an imaginary page http://localhost/page.php?name=John . The php code for this page looks like this.

PHP Code:
echo 'Your name is '.$_GET['name'];?>
In this page there is no filtration system present and we can easily attack the "name" variable.
This would be our result attack:

Bypass a basic str_replace() filter
Now imagine we are at the same page but the code has changed and now has a basic str_replace() filter in place on the variable of name. The php code fir this page is as follows.

PHP Code:
echo 'Your name is '.str_replace('script'null, .$_GET['name']);?>
What this filter does is replace ever instance of "script" with null in "name". To bypass this we can simply add some capital letters to the word script in our attack.
Result attack:

and voila we have successively bypassed the filter and injected our code.

Bypassing a htmlentities() filter
A lot of websites are using htmlentities() function against XSS but it's only efficient against double quotes.
What html entities does is it converts the HTML string into HTML entities. This converts all "<" to "&lt;" and ">" to "&gt;" meaning the resulted text wont be handled as a script. However we can easily bypass by writing our script without the use of < > or ".
The php code for this is.

PHP Code:
echo "<img alt='' src='".htmlentities($_GET['img'])."' />";?>
To inject our code and bypass this filter we need to simply avoid the use of '<' and '>' or " and make use of HTML events.
The resulted attack is:
http://localhost/page.php?img= .' onerror='alert("XSS")

Bypass XSS filters using data URIs
This is not a very well known vulnerability however you can bypass almost any filter with it. data URI's are generally used for images to keep them as text in a HTML document. I noticed that sometimes you can use it to bypass XSS filter htmlspecialchars(). The vulnerable page is designed to show a URI image from the following URL.
The php code is.

PHP Code:
echo '<object data="'.htmlspecialcharacters($_get['img'])/"' />";?>
By modifying the data type from an image/gif to a text/html and the data content it's possible to exploit XSS.

Result attack:

I hope you enjoyed the tutorial, if anyone has any questions feel free to ask. I apologize if i got any information incorrect i'm still new at this.

Please comment and keep alive :)

Share this with your friends