Aug 12, 2019

Cross Site Scripting Tutorial

Hello and welcome all. In our web application hacking tutorials now we have learned about SQLI and RCE. So today we are going to add one more vulnerability to that list. Yes this is a great and awesome thing . we call it XSS. Hear we have a simple website.Actually it does nothing other than getting name as an input from user and print it back to screen. 

<html>
<title>XSS Tutorial - HacksLand</title>
<body>
  <h2>XSS Tutorial - HacksLand</h2>

  <form action = "xss.php" method = "GET" >
   <input type = "text" name = "name" ><br>
   <button type = "submit"><br>
  </form>
</body>
</html>
I think you can understand how front-end application is look like. HTML form takes input from user and make a HTTP request to xss.php via GET method.   Any way hear is the PHP code which handle this processes. 
<?php

if( $_GET[ 'name' ] != NULL ) {
    $name = $_GET['name']
    
    echo '<pre>Hello ' . $name . '</pre>';
}

?>
You can see what is going under the hood. In PHP we can fetch HTTP parameters in this way. 
$_GET[ 'name' ]
After that input is echoed with a <pre> element. Did you notice that this script don't check what type of data is being submitting.It happily gives out whatever user has typed. Let's take an example .Think I give an input as Thilan Dissanayaka . Now what happens? Output from php code will be. 
<pre> Hello Thilan Danushka</pre>
How it looks like in the graphically ? This is the time that things getting interesting. Now think what if I enter following? 
<script>alert("XSS")</script>
Since our PHP code does not check the input it will echo back this string as normal inside of a <pre> element.   Final output is hear. 
<pre> Hello <script>alert("XSS")</script></pre>
  But when our browser see <script> and </script> it thinks that there is a java script and I should execute it as a script. So what ever code inside the <script> tag will get executed. So guys this is how XSS working.In next tutorials  of this serious we are going to see what is SOP(Same Origin Policy) and how its related to xss, How to bypass XSS filters What's DOM (Document Object Model) etc.Also we need to know what we can do with this XSS ataack and how we can secure web applications from XSS. So wait and watch . Thank you for reading.

Apr 16
Wordpress nulled theme checker
Wordpress nulled theme checker

We all love free stuff. So many people try to install premium themes and plugins on there WordPress....

read more
Aug 12
Compiling C programs
Compiling C programs

In previous tutorial we got a quick idea about C language. Today we are going to learn what is....

read more
Aug 12
Functions and stack frames
Functions and stack frames

Stack is a concept used in computer architecture to store temporary data. It is used to pass....

read more
Replying to 's comment Cancel reply
ABOUT AUTHOR
Thilan Danushka Dissanayaka

Thilan Dissanayaka

Hi, I'm Thilan from Srilanka. An undergraduate Engineering student of University of Ruhuna. I love to explorer things about CS, Hacking, Reverse engineering etc.

CATEGORIES
SOCIAL
RANDOM ARTICLES
Reverse engineering tutorial for beginners
Reverse engineering tutorial for beginners
Format strings | Python programming
Format strings | Python programming
Best programming languages for hackers
Best programming languages for hackers
Remote File Inclusion [RFI]
Remote File Inclusion [RFI]
Linux directory structure
Linux directory structure
Protostar Stack0 walkthrough
Protostar Stack0 walkthrough
Error Handling | Python Programming
Error Handling | Python Programming
cookie consent banner javascript
cookie consent banner javascript