alternative
  • Home (current)
  • About
  • Tutorial
    Technologies
    C#
    Deep Learning
    Statistics for AIML
    Natural Language Processing
    Machine Learning
    SQL -Structured Query Language
    Python
    Ethical Hacking
    Placement Preparation
    Quantitative Aptitude
    View All Tutorial
  • Quiz
    C#
    SQL -Structured Query Language
    Quantitative Aptitude
    Java
    View All Quiz Course
  • Q & A
    C#
    Quantitative Aptitude
    Java
    View All Q & A course
  • Programs
  • Articles
    Identity And Access Management
    Artificial Intelligence & Machine Learning Project
    How to publish your local website on github pages with a custom domain name?
    How to download and install Xampp on Window Operating System ?
    How To Download And Install MySql Workbench
    How to install Pycharm ?
    How to install Python ?
    How to download and install Visual Studio IDE taking an example of C# (C Sharp)
    View All Post
  • Tools
    Program Compiler
    Sql Compiler
    Replace Multiple Text
    Meta Data From Multiple Url
  • Contact
  • User
    Login
    Register

Ethical Hacking - Ethical Hacking Phases - Cross Site Scripting Tutorial

Cross Site Scripting or XSS allow code injection attack, that allow  hacker to execute malicious javascript in another user web browser.

In cross site scripting  attack, the attacker gains the ability to see private user IDs, Password, credit card information and many more informations.

Cookie Stealing and Session Overriding is an example of Cross Site Scripting

There are three type of XSS Vulnerabilties

  • Non-Persistent

  • Persistent

  • Dom-based

 

 

 

  • Non-Persistent

Is also known as Type 1 or reflected XSS, malicious code is executed by the victim’s browser, and the payload is not stored anywhere; instead, it is returned as part of the response HTML that the server sends. Therefore, the victim is being tricked into sending malicious code to the vulnerable web application, which is then reflected back to the victim’s browser where the XSS payload executes.

  • Persistent

A Type 2 or Persistent XSS attack is possible when a website or web application stores user input and later serves it to other users. An application is vulnerable if it does not validate user input before storing content and embedding it into HTML response pages. Attackers use vulnerable web pages to inject malicious code and have it stored on the web server for later use. The payload is automatically served to users who browse web pages and executed in their context. Thus, the victims do not need to click on a malicious link to run the payload (as in the case of Non-Persistent XSS). All they have to do is visit a vulnerable web page.

This could lead to cookie stealing and session overriding or even allow access to the client operating system.

  • Dom-based

It is Document Object Model based,in which the piece of Javascript , access a URL request parameter and use this information to write some html to its own page.

When a client-side script is executed, it can use the DOM of the HTML page where the script runs. The script can access various properties of the page and change their values.

 

Cross Site Scripting Attack can be used for:

  • Impersonate or masquerade as the victim user.

  • Carry out any action that the user is able to perform.

  • Read any data that the user is able to access.

  • Capture the user's login credentials.

  • Perform virtual defacement of the web site.

  • Inject trojan functionality into the web site.

How to avoid Cross Site Scripting Attacks

Preventing cross-site scripting is trivial in some cases but can be much harder depending on the complexity of the application and the ways it handles user-controllable data.

In general, effectively preventing XSS vulnerabilities is likely to involve a combination of the following measures:

  • Filter input on arrival. At the point where user input is received, filter as strictly as possible based on what is expected or valid input.

  • Encode data on output. At the point where user-controllable data is output in HTTP responses, encode the output to prevent it from being interpreted as active content. Depending on the output context, this might require applying combinations of HTML, URL, JavaScript, and CSS encoding.

  • Use appropriate response headers. To prevent XSS in HTTP responses that aren't intended to contain any HTML or JavaScript, you can use the Content-Type and X-Content-Type-Options headers to ensure that browsers interpret the responses in the way you intend.

  • Content Security Policy. As a last line of defense, you can use Content Security Policy (CSP) to reduce the severity of any XSS vulnerabilities that still occur.

 

Other Vulnerabilities

  1. Cross – zone Scripting

  2. Http Header injection

  3. Http response Splitting

  4. Cross –site request forgery (CSRF/XSRF)

Ethical Hacking

Ethical Hacking

  • Introduction
  • Overview
    • Information Technology
    • Ethical Hacking
    • Types Of Hacker
    • Phase Of Hacking
  • Environmental Setup
    • Download Virtual Box
    • Install Kali Linux OS in Virtual Box
    • Resize Kali Linux To Full Screen
  • Ethical Hacking Phases
    • Common Technique to Gather Information
    • Reconnaisance / Footprinting
    • Fingerprinting
    • Sniffing
    • ARP Poisioning
    • SQL Injection
    • Cross Site Scripting
    • Social Engineering
    • Denial of service Attack
    • Session Hijacking

About Fresherbell

Best learning portal that provides you great learning experience of various technologies with modern compilation tools and technique

Important Links

Don't hesitate to give us a call or send us a contact form message

Terms & Conditions
Privacy Policy
Contact Us

Social Media

© Untitled. All rights reserved. Demo Images: Unsplash. Design: HTML5 UP.