What an attacker can do with this vulnerability
- Session Hijacking
- Stealing the confidential data and Identity
- Website Defacement
- Website Redirection.
- Bypassing Restriction in the websites
Working Of XSS
Types of XSS
Stored XSS: This is also known as persistent attack. In this the malicious code gets stored in the website’s database and whosoever visits the website will get affected i.e. the malicious code will automatically get executed in the victim’s session
DOM Based: The vulnerability is in the server side code rather than client side code.For this one has to have the access to server side code.
Let’s see some scenarios
The text field is accepting HTML <> tags, hence we checked malicious script to it, and it gets executed.
Did you see what happened? The website is vulnerable for XSS and what we get, Session ID, one can extract the information from it.
- User input should be filtered from any malicious command
- Use HttpOnly Flags
- Never insert untrusted data except for allowed location.
- HTML escape before inserting untrusted data into HTML element content.
- URL Encoding
In any organization Penetration, Testing /Security testing is an important part of SDLC.
OWASP TOP 10, SANS 25 is the common testing methodology. In the recent past, we have seen that many famous websites have been found vulnerable for XSS.So Web Penetration testing is the method to test the website as a Hacker’s perspective and patch up any vulnerability before it could get exploited.
Codec Networks has an intensive lab environment where the student will gain practical knowledge with reference to the current security attacks and threats scenarios well-built simulated lab where the students can perform the practical under the supervision of experienced trainers who are working in the cyber security domains. The whole concept is to provide practical knowledge along with concept clearing in Cyber Security which is useful from career perspective in the organization as well as for the security enthusiasts, entrepreneur. At the end of training, students will have a good understanding and hands on experience in Cyber Security to complete with most experienced Cyber security professionals in India Industry?