Blog

XSS injection – script cross-site scripting

hi guys and welcome we gonna talk about cross-site scripting
not how to build a script for everything you have in mind

superfast

XSS it’s a vuln that affects websites that do have good security on form input
that let us inject a malicious script that can be used to gain access to the website, take advantage of the user
and website form.

exploit tool:
beef
xenotime

we can have two types of XSS
persistent or not. that’s it.

if we find text fields were injected permanently (the server retains the script)
–.we can test whit the following code —
<h1>HI</h1>
if the HI changes to format and we do see the tag we can have success.

usually can be used as a field like new threads/post/news etc,

so we have a vuln field but we wish to exploit it as it should be,
we need a code to build us a script to hook the webpage and grab cookies, IP, geo, keylog, etc…
all the users do in the webpage where we have injected can be saved and reported
beef & xenotix can be helpful to do that

not persistence XSS, reflected, DOM-based, are vuln of the website, but no let you to take advantage of the script power.

1 ex. if vuln is in a research box, and you load the script inside the box, you hook only the guys who research the script XD
2 ex. if you found a vuln and the script no go hidden there isn’t a vuln
3 ex. if you hook a post/blog/website page, only the user on that page can be hooked and not the entire website

—–

we can use that script, for hook users, build manually or whit beef/xenotix
whit clickjacking attack or phishing method
we need to insert it in something we wish to stay open more time possible in the browser of the victim,
so we need to craft a webpage thinking about that.

——

i hope that can you guys to have more lucky,
if you need help ask.