Cross site scripting also known as xss, it’s a most common web application vulnerability and widely spared over the cyber space. Cross site scripting (xss) allows an attacker to run his own client side script (mainly javascript) in to the web pages viewed by the users. Cross site scripting comes in to the picture when some of the input fields (like search box, comment box, ) in the websites executes the commands instead of reading it. In the typical XSS, an attacker can inject his malicious javascript code in the website and when user visits the injected page then the malicious javascript code will be executed !!
Suppose an attacker have found the XSS in the PayPal and inject malicious script, and when the victim opens the injected webpage an attacker can redirect the victim to the fake PayPal login page (phishing website) and he can also hijack the session of the victim and he can get the full access to anybody’s PayPal account using these attack !!!
Cross site scripting Attack (XSS Attack)
1. Finding the vulnerability
Attackers uses the search engine to find the XSS vulnerability in the website and they simply use the Google dorks like “inurl:.php?q=” (its just one simple dork example you can make your own dork too!) to find the xss vulnerability.
Attackers uses the search engine to find the XSS vulnerability in the website and they simply use the Google dorks like “inurl:.php?q=” (its just one simple dork example you can make your own dork too!) to find the xss vulnerability.
2. Testing for the vulnerability
Now we have some of the links (we already got it using Google dork) and now we have to taste if for the cross site script vulnerability now search for “<script>alert(“HFS”)</script>” and search for it and if our alert command got executed then the website is vulnerable to the cross site scripting !!
Types of XSS
There are two types of the cross site scripting (XSS), XSS reflected and XSS stored.
1. XSS Reflected
XSS reflected or Non-Persistent XSS occurs when the web page just executes the java script code in to the browser. like we have tested above the web page executes the alert command in through the search box.
2.XSS Stored
XSS stored or Persistent XSS occurs when the webpage saves the malicious javascript in to its database and most of the time the comment are vulnerable to XSS stored vulnerability. When attacker injects his malicious javascript in the comment box then the malicious javascript will be saved into the server’s database and when the victim opens the injected web page at that time the malicious javascript will be executed !! and using this kind of attack attacker can redirect the user to the phishing website or he can hijack the sessions of the victims.
The information provided in the article is for matter of interest and educational purpose only.If you have any question about the XSS attack then feel free to ask !!
0 comments:
Post a Comment