What is cross-site scripting?
XSS is a vulnerability that allows an attacker to inject javascript code into a page. so javascript is a programing language and using this vulnerability an attacker would be able to execute a code written in javascript into a website it is a client-side language so when the code is executed it will be executed on the user but not on the server
Types of XSS vulnerability:
- persistent/stored XSS
- Reflected XSS
- DOM-based XSS
The stored XSS will be stored in the database. So the code you injected will be stored into the database or into the page so every time any user visits that page the code will be executed
Reflected XSS will be executed only when the target user runs a specific URL written by you
The DOM-based this code will be interpreted and run on the client-side without interacting with the webserver these are dangerous because web servers apply some sort of security and filtration to check XSS
Discovering XSS
so let's discuss how to discover these vulnerabilities. Very similar to SQL injection, the way to do this is to browse through your target and try to inject any URL that looks similar to this
HTTP://tatget.com/page.php?somthing=something
whenever you see a URL with parameters, try to inject these parameters
Preventing XSS vulnerability
The way these vulnerabilities happen is because whenever a user enters something into a parameter that input is displayed into the HTML so it's treated as part of the page together if there is javascript in it then the code is executed. To prevent this exploit the best thing is to do try and minimize the usage of untrusted inputs and you can inspect the web page and change anything that you feel suspicious
0 Comments