Learn Web Hacking 2.00 XSS intro

in #hack7 years ago

Hi everyone,

In this article, I want to talk about Cross-site scripting attacks. This attack is ranked 7 in the OWASP top ten and it's define as such.

XSS.png

A7: Cross-site scripting (XSS)
XSS happens when the user can send untrustred data to the web application without the page validating the data or escaping unsafe characters.

When a website doesn't validate or filters the data you send, you can execute JavaScript code in the victim's browser. The risks are that you can steal cookies, deface a web site, take control of an account and even spread a worm (famous Samy's worm that exploited Myspace https://samy.pl/myspace/).


XSS is mostly define as three types.

Reflected XSS
The malicious code is executed and sent back to the user with an URL or a search bar for example.

Stored XSS
The malicious code is injected on the website in a comment box or username field for example. Every time a user go and see the malicious comment, the code is executed.

DOM XSS
This time, the malicious code is interpreted by the DOM environment.

This is a brief overview of XSS as this subject can go very large. In the next article I will show you how to set-up the environment to test and learn about XSS.


The information provided on hacking is to be used for educational purpose only. The creator is in no way responsible for any misuse of the information provided. All the information provided is meant to help the reader develop a hacker defense attitude in order to prevent the attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. The word "Hacking" should be regarded as "Ethical hacking". You implement the information given at your own risk

@pierlave