Header AD

How To Perform Cross Site Scripting Attack In Kali Linux

How To Perform Cross Site Scripting Attack In Kali Linux

How To Perform Cross Site Scripting Attack In Kali Linux
How To Perform Cross Site Scripting Attack In Kali Linux

How To Perform Cross Site Scripting Attack In Kali Linux

In this article, I am covering what XSS is and how XSS attacks are executed.


  1. Understanding of Html and javascript
  2. Basic understanding of server-side languages like PHP, JSP.
  3. Kali Linux
  4. DVWA If you have not gone ahead and install DVWA first.Without DVWA you will not be able to test XSS attack.
Cross-site scripting commonly known as the XSS attacks are very dangerous.In CSS hackers inject malicious scripts or payload into web applications.XSS is a very common vulnerability.
In most cases, malicious javascript codes are injected into vulnerable web applications.
With an XSS, vulnerable website Hackers do crafty stuff like making fake login pages, session hijacking etc to steal credentials.

What hackers can do with XSS attacks

With XSS hackers can steal cookies, redirect to another website, session hijacking, spread malware and can even cause Website defacement and more.So you can imagine how much damage hackers can do with XSS attacks.

Type of XSS.

There are two types of XSS attacks.
  1. Stored XSS attack
  2. Reflected XSS attack

Reflected XSS attack

Reflected Attack is most common XSS attacks.In reflected attacks, hacker's script must be the part of the URL.
More specifically hackers send HTTP requests to the server and reflect back in a manner that HTTP response includes the evil script and gets executed.Let's do it with some real examples.It will not much time to understand.
So we will be using DVWA for demonstrations.DVWA is the tool where we can practice our skills on our local server in the legal environment.Open your terminal and start DVWA.
Before starting DVWA we have to start apache2 and MySQL services.
root@seven:~# service apache2 start
Start MySQL services.
root@seven:~# service mysql start
Now open your web browser and paste the following http://localhost/dvwa/login.php enter your credentials and log in.
Once you are logged in you have to change security level in DVWA by default it is impossible we have to change it to low.
change security level
Change security level to low.As shown in the below picture
chang value
Now select reflected attack from the menu
reflected selection
Now we are ready to test.write down some javascript code as shown in below image and submit

alert down

another alert
When you hit submit it should return an alert box if it returns the output(In this case alert box) of your code, not the code that you submitted so that means the website is vulnerable to XSS.Here you saw we got an alert box in return.
Now check the URL you will see that code has been added to URL.
name is vulnerable
Now you can see the code is integrated to URL.That's because name parameter is vulnerable to XSS attack.Now you can write some evil code like making a fake login page etc. And send to the victims.
Before sending links you should encode URL to hex or some other form so human can't read it. use your social engineering skills to send and make you victims click.

XSS Stored Attack

As the name suggest the stored attack.It works where you can submit data.You can actually injector store your evil code into a website's database. In this way when users visit website(where you injected your code) does not even know that he is forced to use the code.
Stored attacks are mostly implemented by comment box. Through comment box, you can insert your evil code into a vulnerable website's database.
Now switch to XSS store from the menu
change to store

Now fill the form with name and Message.Inside the message-box enter your evil javascript code instead of regular text and see what happen.
finally attack
When you input the code I showed in the picture You will be prompted with an alert box.
Now you can put whatever code you want inside the message box. And It will be stored in the database.If you have javascript skills just try to make exploits, redirection pages.It's not that difficult to make some useful payloads. Now you can write write
Now you must have realized by now that how dangerous XSS attacks even more than SQL injections. SQL injection can be prevented easily.But it's hard to prevent XSS attacks.Even though if you are using blogging platforms like WordPress and google bloggers they take care of XSS attacks. Especially with latest versions of WordPress, it's really hard to XSS WordPress.
That was just an introduction of XSS.I will write some advance articles on XSS in future.Enjoy

So above are the How To Do Cross Site Scripting Attack In Kali Linux. Hope you like this article, keep on sharing with others too. Also, share your experience with us in a comment box below.

No comments