This is the next article in our hacking a website series. To hack a website we need to know the different ways how to perform the attack. These ways are also called attack vectors. Our first vector is Cross Site Scripting. Cross Site Scripting is an attack against the user of a website. An Attacker tries to insert Java script Code in a Website through the URL.

Most websites want to interact with their users. To achieve this goal, the website asks for user input. As an example a website asks in a form for the name of the user. After entering the User name and pressing the submit button a new website is presented which simply says “Hello xxx”, where xxx would be the data the user entered in the form before. If the website does not filter the input and takes the input by the GET method (a common way to transfer data between browser and server), an attacker can create an URL which would execute Java script Code in the browser of the user. Such an URL could look like:

http://www.example.com/greet.php?name=<script>alert(1);</script>

If this website would be opened, an alert window would pop up telling “1”. So, why is this causing harm?

Well, since the attacker can add any Javascript Code there, he can control the whole page. Javascript offers methodes to manipulate the content of a website. complete areas can be made invisible, and new text can be added, as the attacker prefers. Beside the website itself, the attacker can also read out cookies, these small pieces of information which is stored in your browser and which are containing information about your websession. He can read out passwords which are entered into fields of the website. If the attackers adds the login form of the website, the browser fills out these fields automatically, since most users use the function of their browser to store the password.

If the vulnerable website is a bank, for example, the attacker could at least steal the login credentials and have a look at the bank accounts of his victims.

A real nightmare.