# Hackmyfortress - Hacking Training Center - En/Fr

80.6K views

## XSS Fault

Cross-site scripting (abbreviated as XSS) is a type of security flaw in websites that allows you to inject content into a page, inject a script into the URL of the target page or into a field .

### How to detect it?

You now arrive on your target's web page, the flaw is found in all forms (search engine, comment systems, guest book chat, try them all!) Provided the HTML is interpreted. To check if HTML is enabled or disabled in a form field you can perform several tests first of all insert basic HTML into the field:

<b>Test</b>


If the search engine (for example) says this: No results found for the term "Test" is that the XSS fault is there, if it displays this: / B> "there is no flaw look elsewhere on the site or go your way.

There are several types of xss fault,

### The fault xss ephemere

Let's imagine that I have a field that leads me to choose a country.

Once you have selected a country, here "English", the URL changes, you get something like this:

http://localhost/vulnerabilities/xss_d/?default=English

What to understand is that "English" is a variable, that can have it edit! If in the URL I change "English" to "Franglais" and I validate, hop I find myself with "Franglais" in the field.

If you replace "English" with a small script: 3! For example :

When I validate this URL a warning box aparait with "Ah!" Of posted! On the basis of this observation, one can easily imagine the full range of possibilities offered by the exploitation of this fault:

• Redirection of page (phishing for example)
• Keylogging,
• ...

### Permanent xss fault

It is very common to find a space dedicated to comments on the internet, a place where you can leave a trace, if this space is not properly protected it is simple to drag code: 3

My comment will be "I'm a trol", and whenever the page is loaded, a dialog will appear with inside "I'm a big trol".