Anything mentioned here is meant only for 'White-Hat' hackers (in case u dont know, they are security testers and ethical guys) and meany only for learning purposes (which I am sure many won't follow :P ).
This is my first tute on hacking (getting bored in office at late hours). So lets assume you are a kiddie, use gmail/facebook/orkut and would LOVE to hack your pals account. But let me tell you, hacking is not like windows but linux. There is not "Click here to hack" button!! So forgive me for that inconvenience, though this tute requires some basic programming blah blah blah language understanding.
XSS - Cross Site Scripting in a nutshell is a type of attack which uses input-validation flaw to execute scripts (do i need to know these?NO!). So say if I find something like http://www.facebook.com/blah-blah?url= and can get to my-evil-site directly by modifying this link to http://www.facebook.com/blah-blah?url=http://evil.com , WhOoOoooOooOaaaaa! Jackpot! (though such things are difficult to find and immediately fixed when posted on net!). Now, I will host my-evil-website on some free website domain which has javascript and php support, make a javascript that catches the cookie of facebook or make a php script that writes that cookie down to a text file in my website domain. I can also run a javascript keylogger (google 'xss javascript keylogger'), though after stealing cookie/authentication-info, its a trivial excercise (but not simple!) to duplicate user's session.
Is it simple? Yes. But if you don't want to labour or research or read more on the topic, you won't be able to execute on your own. For now, I will only advise - Don't click on things like "You have won $10000, click here to redeem" :D
Feel free to leave comments and or ask something.
