Skip to main content

Ethical Hacking - Cross-Site Scripting

Cross-site scripting (XSS) is a code injection attack that allows an attacker to execute malicious JavaScript in another user's browser.
The attacker does not directly target his victim. Instead, he exploits a vulnerability in a website that the victim visits, in order to get the website to deliver the malicious JavaScript for him. To the victim's browser, the malicious JavaScript appears to be a legitimate part of the website, and the website has thus acted as an unintentional accomplice to the attacker. These attacks can be carried out using HTML, JavaScript, VBScript, ActiveX, Flash, but the most used XSS is malicious JavaScript.
These attacks also can gather data from account hijacking, changing of user settings, cookie theft/poisoning, or false advertising and create DoS attacks.

Example

Let’s take an example to understand how it works. We have a vulnerable webpage that we got by the metasploitable machine. Now we will test the field that is highlighted in red arrow for XSS.
Metasploitable
First of all, we make a simple alert script
<script>  
   alert(‘I am Vulnerable’)  
</script>
It will produce the following output −
Simple Alert

Types of XSS Attacks

XSS attacks are often divided into three types −
  • Persistent XSS, where the malicious string originates from the website's database.
  • Reflected XSS, where the malicious string originates from the victim's request.
  • DOM-based XSS, where the vulnerability is in the client-side code rather than the server-side code.
Generally, cross-site scripting is found by vulnerability scanners so that you don’t have to do all the manual job by putting a JavaScript on it like
<script>  
   alert('XSS') 
</script>
Burp Suite and acunetix are considered as the best vulnerability scanners.

Quick Tip

To prevent XSS attacks, keep the following points in mind −
  • Check and validate all the form fields like hidden forms, headers, cookies, query strings.
  • Implement a stringent security policy. Set character limitation in the input fields.
Labels:

Comments

Post a Comment

Popular posts from this blog

IMPORTANCE AND ADVANTAGES OF SIWES

STUDENTS INDUSTRIAL WORK EXPERIENCE SCHEME (SIWES) The Industrial Training/Students Industrial Work Experience Scheme, IT/SIWES is a new Directorate under the Vice-Chancellor’s Office.  It was established on 20th April, 2012 The Students Industrial Work Experience Scheme (SIWES) is a skills training programme designed to expose and prepare students of universities and other tertiary institutions for the Industrial Work situation they are likely to meet after graduation.  It is also a planned and structured programme based on stated and specific career objectives which are geared towards developing the occupational competencies of participants (Mafe, 2009).  Consequently, the SIWES programme is a compulsory graduation requirement for all Nigerian university students offering certain courses. The Students Industrial Work Experience Scheme (SIWES), is the accepted training pro...
1 comment
Read more

Hack Instagram Account with ighack

Ighack is a secure Instagram account hacking application that allows you to hack Instagram password free. The best part of the application is that it does not require any survey or download. It is available free on the internet. I addition to being free to use, this app is compatible with every device. The application has a reputation of being authentic and untraceable. Let us look into the procedure needed to follow for hacking Instagram passwords. Step 1: Visit the website ighack.net and click on ‘Start Hack’ option. Step 2: Enter the user name of the target’s Instagram account when the system asks you to do so and click the ‘Hack’ button. Step 3: Allow the application to do the rest. The ighack server establishes contact with Instagram server and searches for the password in the Instagram database by matching the username ID. Step 4: On extraction of the data, the installed software program automatically decrypts the data. Step 5: The system delivers the password to...
1 comment
Read more

How to Crack a Password

What is Password Cracking? Password cracking is the process of attempting to gain Unauthorized access to restricted systems using common passwords or algorithms that guess passwords. In other words, it’s an art of obtaining the correct password that gives access to a system protected by an authentication method. Password cracking employs a number of techniques to achieve its goals. The cracking process can involve either comparing stored passwords against word list or use algorithms to generate passwords that match In this Tutorial, we will introduce you to the common password cracking techniques and the countermeasures you can implement to protect systems against such attacks. Topics covered in this tutorial What is password strength? Password cracking techniques Password Cracking Tools Password Cracking Counter Measures Hacking Assignment: Hack Now! What is password strength? Password strength is the measure of a password’s efficiency to resist password crackin...
Post a Comment
Read more