Cross Site Scripting XSS
Text to Voice
#Cross Site Scripting (XSS)
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.
#Types of xss
#Stored XSS
The most damaging type of XSS is Stored (Persistent) XSS. Stored XSS attacks involves an attacker injecting a script (referred to as the payload) that is permanently stored (persisted) on the target application (for instance within a database). The classic example of stored XSS is a malicious script inserted by an attacker in a comment field on a blog or in a forum post.
When a victim navigates to the affected web page in a browser, the XSS payload will be served as part of the web page (just like a legitimate comment would). This means that victims will inadvertently end-up executing the malicious script once the page is viewed in a browser.
#Reflected XSS
The second, and by far most common type of XSS is Reflected XSS. In Reflected XSS, the attacker’s payload script has to be part of the request which is sent to the web server and reflected back in such a way that the HTTP response includes the payload from the HTTP request. Using Phishing emails and other social engineering techniques, the attacker lures the victim to inadvertently make a request to the server which contains the XSS payload and ends-up executing the script that gets reflected and executed inside the browser. Since Reflected XSS isn’t a persistent attack, the attacker needs to deliver the payload to each victim – social networks are often conveniently used for the dissemination of Reflected XSS attacks.
#DOM-based XSS
DOM-based XSS is an advanced type of XSS attack which is made possible when the web application’s client side scripts write user provided data to the Document Object Model (DOM). The data is subsequently read from the DOM by the web application and outputted to the browser. If the data is incorrectly handled, an attacker can inject a payload, which will be stored as part of the DOM and executed when the data is read back from the DOM.
The most dangerous part of DOM-based XSS is that the attack is often a client-side attack, and the attacker’s payload is never sent to the server. This makes it even more difficult to detect for Web Application Firewalls (WAFs) and security engineers analyzing the server’s logs since they will never even see the attack.
Among various objects that make up the DOM, there are some objects in particular which an attacker can manipulate in order to generate the XSS condition. Such objects include the URL (document.URL), the part of the URL behind the hash (location.hash) and the Referrer (document.referrer).
MAKE SURE to subscribe to all of Lone's Youtube Channel
https://www.youtube.com/channel/UCd6sn7OgL3kZISuioGvv64w
Follow Lone Ranger on social media to get constant updates, new content, special quotes, contest information, product information, up to date information and MUCH MORE!
https://www.facebook.com/L0n3.Rang3r
https://www.facebook.com/StreetSmartBlackHatHacker/
https://twitter.com/lon3_rang3r
https://lonerangerweb.wordpress.com/blog
https://www.instagram.com/l0n3_rang3r/
https://github.com/Lone-Ranger
https://www.linkedin.com/in/lone-Ranger
Disclaimer: These are the views and opinions of Lone Ranger. Lone Ranger is not liable for any interpretation of the messages conveyed in the videos. These videos are for entertainment and educational purposes only and should be viewed and used in this facet only.
2017-03-07 03:31:58
source
Gloss