Tuesday, 18 March 2014

Well Known Hacks II: XSS (Client-side Examples)

As promised previously, in this post I am going to give some XSS attack examples. I will present here 2 simple examples with actual JavaScript code that you can try in your browser. Examples that I present here are done using Google Chrome or Chromium (The open-source version of Google chrome on Linux). If you have any other browsers like FireFox or Opera you could still try these examples as I am quite sure they have their own JavaScript debuggers (For example: An extension named FireBug that enables you to debug JavaScript in FireFox browser).

First Example: Changing the background of Facebook!

Change your Facebook background with these 4 easy steps:

1) If using Chrome, right click on an empty spot on the page and then click on 'Inspect Element' (alterntively, you can press Ctrl+shift+j). In other browsers procedure is quite similar.

2) From the available tabs that you can see select the 'console' tab
3) Paste the following JavaScript code into the console:

var imgdiv = document.getElementsByTagName("body");
var bg = prompt("Enter image URL:", "http://static.freepik.com/free-photo/abstract-seamless-floral-pattern-background_50-15060.jpg");
imgdiv[0].style.backgroundImage = "url(" + bg + ")";
imgdiv[0].style.backgroundAttachment = "fixed";

4) At this point you can either enter the URL to your own image on web OR just press enter

Second Example: Changing Google logo!
This example is quite similar. Open JavaScript console and paste the following code into it. Once it asks for image URL you can enter the URL to your own image (OR just press enter if you really like to see my name you Google home page! :D).

var bg = prompt("Enter image URL: ", "https://lh5.googleusercontent.com/-55mfElJWy1w/Ux6GrxX8u-I/AAAAAAAAAow/KXQy3DtaEBI/w323-h110-no/Behnam.gif");

document.getElementById("hplogo").style.backgroundImage = "url(" + bg + ")";

No comments:

Post a Comment