
Cross Site Scripting Tutorial
Hello and welcome all. In our web application hacking tutorials now we have learned about SQLI and RCE. So today we are going to add one more vulnerability to that list. Yes this is a great and awesome thing . we call it XSS. Hear we have a simple website.Actually it does nothing other than getting name as an input from user and print it back to screen.
<html>
<title>XSS Tutorial - HacksLand</title>
<body>
<h2>XSS Tutorial - HacksLand</h2>
<form action = "xss.php" method = "GET" >
<input type = "text" name = "name" ><br>
<button type = "submit"><br>
</form>
</body>
</html>
I think you can understand how front-end application is look like. HTML form takes input from user and make a HTTP request to xss.php via GET method.
Any way hear is the PHP code which handle this processes.
<?php
if( $_GET[ 'name' ] != NULL ) {
$name = $_GET['name']
echo '<pre>Hello ' . $name . '</pre>';
}
?>
You can see what is going under the hood.
In PHP we can fetch HTTP parameters in this way.
$_GET[ 'name' ]
After that input is echoed with a <pre> element.
Did you notice that this script don't check what type of data is being submitting.It happily gives out whatever user has typed.
Let's take an example .Think I give an input as
Thilan Dissanayaka .
Now what happens?
Output from php code will be.
<pre> Hello Thilan Danushka</pre>How it looks like in the graphically ?

<script>alert("XSS")</script>
Since our PHP code does not check the input it will echo back this string as normal inside of a <pre> element.

<pre> Hello <script>alert("XSS")</script></pre>
But when our browser see <script> and </script> it thinks that there is a java script and I should execute it as a script.
So what ever code inside the <script> tag will get executed.

File access is an essential feature of any programming language. In C we can use two methods to....
In this tutorial, we are going to see how we can write a complex number program in c++ using the....
Hello there in this article we are going to see how we can exploit and win protostar stack 3 level.....

Thilan Dissanayaka
Hi, I'm Thilan from Srilanka. An undergraduate Engineering student of University of Ruhuna. I love to explorer things about CS, Hacking, Reverse engineering etc.