Cross Site Scripting (XSS) Explained and Complete Website Defacement Tutorial.

Cross Site Scripting (XSS) is a vulnerability found in websites which allows an malicious attack/cracker to inject client-side scripts into the web pages. By using this vulnerability an attaker can deface a website, redirection attacks can be done and session cookie stealing is also possiable by exploiting this vulnerability.
There are two types of XSS vulnerability found in web applications.
1. Non-persistent
2. Persistent



# Non-persistent
Non-persistent type of XSS vulnerability is the most comman one. Non-persistent XSS happens when a malicious HTML query is done by an attacker and that query is used immiediatly by the server-side to generate the page result.  


# Persistent
Persistent type of XSS vulnerability is a dangerous kind of vulnerability. This happens when a malicious HTML query is done by the attacker and that query is immediatly saved by the server and is permanently displayed on the normal pages.


In this tutorial I'm going to show you how to deface a XSS vulnerable site via Non-persistent XSS vulnerabillty.
In order to find sites vulnerable to XSS use google dorks. The most comman google dork used by attackers to exploit the XSS vulnerability is:
inurl:search.php?q=
*For more dorks to find XSS vulnerable websites, Click Here.
After googling the dork, select any website, and check if it can be exploited.


How to find if the website is XSS vulnerable or not.
Example Website:
www.website.com/search.php?q=
Open the website, you will find a search box. in that search box type this code:
<script>alert("XSS Detected !!")</script>
And click on search. If the site is vulnerable, you will get a Jquery box saying "XSS Detected", if you got that you can move foreward to deface the website site.
Now if you want just to display a simple message like "H4CK3D", Enter the below HTML code and click on search.
<h1><center><b>H4CK3D</h1></center></b>
*You can edit the above code to change the text color, font etc if you have some knowledge of HTML.


How to deface.
In order to deface the website, take a screenshot of your deface page and upload it on any free image hosting website. After uploading note the image URL.
Goto search box and type in there the following code:
<center><image src="your deface image URL here"></center>
And click on search, Yeah! we are done, your deface image is there on the website. #Mission Accomplished #Website Defacement Sucessful.


#Wait for the next Website Defacement tutorial using Persistent XSS vulnerability, for permeanent deface.


Having Problem? Mention them in your comments to get the soloution.