Cross Site Scripting (XSS)

Cross-Site Scripting (also known as XSS) is one of the most common attacks on the application layer of a web app. XSS enables attackers to inject client-side scripts into web pages viewed by other users, effectively executing these scripts in the context of someone else's browser. The effects range from petty nuisance to serious security risks, depending on the data available in the browser for the given site/domain.

  • Reflected (non-persistent): e.g. query param displayed without sanitization. An example of exploitation can be a URL link containing such malicious parameter which is then executed in the browser of the one who clicks it.
  • Persistent: data stored on the server and displayed to a multitude of users. A typical example is a message board.

Examples:

Tips

Test everything, all input fields are potential candidates, use proxy (submit positive values, tamper with them on the proxy), provide unexpected values (i.e. think about what malicious code is expected, come up with something innovative).

Test your skills

  • JSFuck, showing JS obfuscation, using only 6 characters to write any kind of code.
  • A few examples of potentially malicious code
  • XSS Cheat Sheet, showing all kinds of malicious snippets that might enable a malicious attacker to exploit XSS vulnerabilities.

results matching ""

    No results matching ""