Cross Site Scripting

XSS is one of the most common web application vulnerability ranked at 3 in OWASP Top 10 in Ethical Hacking. This is a client-side attack which allows an attacker to run JavaScript codes into the vulnerable web pages. It happens when an application’s data is not validated properly and it accepts untrusted data and sends it to the browser.

What an attacker can do with this vulnerability

  • Session Hijacking
  • Stealing the confidential data and Identity
  • Website Defacement
  • Website Redirection.
  • Bypassing Restriction in the websites

Working Of XSS

Types of XSS

Stored XSS: This is also known as persistent attack. In this the malicious code gets stored in the website’s database and whosoever visits the website will get affected i.e. the malicious code will automatically get executed in the victim’s session

Reflected: This is a non-persistent XSS. It won’t get stored in the database The link containing malicious is crafted and sent to the victim.If the victim clicks the link the javascript would get executed and the information like session cookies can be stolen.

DOM Based: The vulnerability is in the server side code rather than client side code.For this one has to have the access to server side code.

Let’s see some scenarios

The text field is accepting HTML <> tags, hence we checked malicious script to it, and it gets executed.

Did you see what happened? The website is vulnerable for XSS and what we get, Session ID, one can extract the information from it.

XSS Preventions

  1. User input should be filtered from any malicious command
  2. Use HttpOnly Flags
  3. Never insert untrusted data except for allowed location.
  4. HTML escape before inserting untrusted data into HTML element content.
  5. URL Encoding

In any organization Penetration, Testing /Security testing is an important part of SDLC.

OWASP TOP 10, SANS 25 is the common testing methodology. In the recent past, we have seen that many famous websites have been found vulnerable for XSS.So Web Penetration testing is the method to test the website as a Hacker’s perspective and patch up any vulnerability before it could get exploited.

Codec Networks has an intensive lab environment where the student will gain practical knowledge with reference to the current security attacks and threats scenarios well-built simulated lab where the students can perform the practical under the supervision of experienced trainers who are working in the cyber security domains. The whole concept is to provide practical knowledge along with concept clearing in Cyber Security which is useful from career perspective in the organization as well as for the security enthusiasts, entrepreneur. At the end of training, students will have a good understanding and hands on experience in Cyber Security to complete with most experienced Cyber security professionals in India Industry?

About

Codec Networks provides IT Trainings from EC Council CEH ECSA, LPT, CHFI, Network Security, Penetration Testing, ISACA, ISC2, PECB ISO 27001LA LI, Cisco Networking CCNA CCNP, Linux Administration RHCE, Prog Languages JAVA, Advanced Java, android development. We also offer B2B Industry Solutions and Services in IT | Information|Cyber Security in Delhi NCR India.

View all posts by