Monday, December 18, 2006

Introduction to XSS Part 1

This document is purely for illustrative purposes only. I am not responsible for any losses arising to the websites mentioned below. Webmasters please be more alert...

What is it?

XSS stands for cross site scripting (CSS) Since CSS is already taken by Cascaded Style Sheets, it is named XSS X standing for a Cross. It is a kind of hacking which allows you to deface websites, loggin as another user etc.


Let us start by looking how websites work. Starting with the simple ones, for example take this blog. It consists of a series of pages, connected by many links. This is just a simple case, now let us take a look at websites that are interactive. We are particularly interested in websites that allows us to post something and it appears on the site. The most simple example is, when you search for something, it appears on their site. Or take the example of, etc where you can submit information that is displayed on their site.

Phase 2 : Javascript injection

The next thing you try to do is put javascript into those areas which appear on the site. For example


Most probably it wouldn't have work, because either you tried it on some well known site or you have to enter a little more code. Take the following example:
The following page has an XSS hole

But if you put

It didn't work. To understand why it didn't work we gotta look at its source.
This is how the rendered source (source that is outputted with your code) looks. To find out whether your injection has worked, take the source and search for your injected script. In this case it was found here :

Our script did not work because it was encapsulated within a string. So to break it out , we add extra code so that the new url would become :
txtPropertyId="e;><script>alert("xss");</script><span style="e;

Now our script is properly executed and can be seen

The highlighted in red portion is the injected code. As you can see it works.
Another page with XSS hole is
and the injected url looks something like

Now that you see that you can execute javascript on a clients browser, you can do anything from phishing, cookie stealing, defacement etc(Bookmark me and wait for more on this topic).
This is the case of simple sites that are not well made. Well made sites like google, yahoo and hotmail take this issue into serious consideration and have filters. Finding an XSS hole there is tough.
However some weak filters can be bypassed using the technologies mentioned in XSS Cheat Sheet

Message to Webmasters (specially of

This article was written for you. Please provide a filter from Request to Response so that XSS can be prevented. Strip all html tags wherever it is ok to do so. Anti-XSS libraries are avalilable for use. For php users the strip_tags() function is a great way to prevent XSS in most cases.

Happy surfing...

More XSS holes ...
» : search for <script>alert(document.cookie);</script>
»Got another XSS hole ? Lemme know ....


Arun Prabhakar said...

more XSS holes:

Anonymous said...

u have hacked my site too..

Anyways thanks for pointing out the security holes..

I will try to fix this as soon as possible.
And i have bookmarked ur blog also.

Arun Prabhakar said...

My latest additions ...

Anonymous said...;%3C/script%3E&userid=xcv&