Cross Site Scripting (XSS)

-

What is XSS ? 

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into websites. 

XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a user. 

Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application gets input from a user within the output it generates without validating or encoding it. 

An attacker use this XSS vulnerability to send a malicious script to an unsuspecting user.
The user’s browser has no way to know that the script should not be trusted, and will execute the script. 

Because it thinks the script came from a trusted source, so the malicious script can access any cookies, session tokens, or other sensitive data retained by the browser and used with that website. These scripts can even rewrite the content of the HTML page.
Ex - document.body.innerHTML = "";

Types of XSS :


Reflected XSS (AKA Non-Persistent or Type I)

This occurs when user input is immediately returned by a website in an error message, search result, or any other response.


Stored XSS (AKA Persistent or Type II)

This occurs when user input is stored on the target server, such as in a database, in a message forum, visitor log, comment field, etc. And then a victim is able to retrieve the stored data from the web application without that data being made safe to render in the browser. This is one of the common website defacement attacks.


DOM Based XSS (AKA Type-0)

This is a form of XSS where the entire tainted data flow from source to sink takes place in the browser, i.e., the source of the data is in the DOM, the sink is also in the DOM, and the data flow never leaves the browser. For example, the source (where malicious data is read) could be the URL of the page (e.g., document.location.href), or it could be an element of the HTML, and the sink is a sensitive method call that causes the execution of the malicious data (e.g., document.write).


How to prevent XSS Attacks ?


Sanitizing user input. 

Try this XSS Game to practice various methods Xss Payloads :

https://xss-game.appspot.com

Comments

Post a Comment

Popular posts from this blog

Exploring the Marvels of Bing AI Image Generator

-
Image
 f artificial intelligence stands at the forefront, revolutionizing various aspects of our lives. One such groundbreaking advancement is the Bing AI Image Generator, an incredible tool that merges the power of AI with creativity to produce stunning visual content. Unveiling the Bing AI Image Generator Bing, the popular search engine powered by Microsoft, has been at the forefront of integrating AI into its services to enhance user experience. The Bing AI Image Generator is a testament to this commitment, offering users a platform to unleash their creativity like never before. How Does It Work? At its core, the Bing AI Image Generator utilizes advanced deep learning algorithms to understand and analyze images. By leveraging state-of-the-art techniques such as neural networks and machine learning, the tool can generate new images based on the input provided by users. Example: Prompt:  A futuristic glass business card with the Facebook logo and the name "Dimuth De Zoysa" and the
Read more

XSSploit: The Ultimate XSS Vulnerability Detection Tool

-
Image
XSSploit: Your Comprehensive Guide to XSS Testing Introduction In today's interconnected digital world, web applications play a pivotal role in our daily lives. From online shopping and banking to social media and productivity tools, we rely on these applications to carry out a multitude of tasks. However, this increasing reliance on web applications also makes them attractive targets for malicious actors seeking to exploit vulnerabilities. One such vulnerability is Cross-Site Scripting, commonly known as XSS. Cross-Site Scripting attacks occur when an attacker injects malicious scripts into web pages viewed by other users. These scripts can steal sensitive information, manipulate web content, or even take control of a user's session. Detecting and mitigating XSS vulnerabilities is critical for web security, and that's where XSSploit comes into play. Disclaimer ⚠️ Before we proceed, it's essential to emphasize that XSSploit is intended for educatio
Read more