What is XSS (Cross Site Scripting) ? – A Detailed Understanding Of the Type of XSS

XSS is a very commonly exploited vulnerability type which is very widely spread and easily detectable and also it is one of the important vulnerability in OWASP TOP 10.

What is XSS( Cross Site Scripting )? An attacker can inject untrusted snippets of JavaScript into your application without validation. This JavaScript is then executed by the victim who is visiting the target site. It classified into three types.

  • Reflected XSS
  • Stored XSS
  • DOM-Based XSS

In Reflected XSS, an attacker sends the victim a link to the target application through email, social media, etc. This link has a script embedded within it which executes when visiting the target site.

In Stored XSS, the attacker is able to plant a persistent script in the target website which will execute when anyone visits it.

With DOM Based XSS, no HTTP request is required, the script is injected as a result of modifying the DOM of the target site in the client side code in the victim’s browser and is then executed.

Understanding XSS – Cross Site Scripting

                               http://test.gbhackers.com/search?q=gbhackers

                                   Searched for <strong>gbhackers</strong>

                                          <script>alert(document.cookie)</script>

Imagine that we are having an URL like this and we are searching for gbhackers and it will reflect the following query in the browser. We trust the domain and we trust the resource being entered in the search page, so now the untrusted part gbhackers was the query string entered by the browser, the attacker can manipulate the value anything as they like, for an example they change like this <script>alert(document.cookie)</script>. This is just a simple query to popup an alert in the webpage, if some requested the page of attackers website and passed document.cookies as a parameter in the website then the attacker can gather all cookies in the website. If they got Auth cookies they can simply hijack user sessions.

Potential risks about Cross Site Scripting

The attacker can compromise or take over the victim’s user account in the application. They could retrieve data from the target web application, modify content on the target page, redirect the victim to another malicious or spoof site, or use it as a platform to install other malware on the victim’s system.

The consequences of any of the above can seriously impact your ability to conduct business, your customers, and your organization’s reputation.

Defenses against Cross Site Scripting

  • What input do we trust?
  • Does it adhere to expected patterns?
  • Never simply reflect untrusted data.
  • Applies to data within our database too.
  • Encoding of context(Java/attribute/HTML/CSS).

Learn: Master in Hacking with XSS – Cross Site Scripting

Guru Baran

View Comments

Recent Posts

Malicious ChatGPT Chrome Extension Steal Facebook Accounts

Thousands of Facebook accounts have been stolen due to a trojanized version of the legitimate…

4 mins ago

Streaming Platform Gaint Lionsgate Exposes Over 37m Users’ Data

Lions Gate Entertainment Corporation, doing business as Lionsgate, exposed users' IP addresses and data on…

9 hours ago

North Korean Hackers Attack Gmail Users With Malicious Chrome Extensions

In a collaborative effort, the German Federal Office for the Protection of the Constitution (BfV)…

22 hours ago

Shell DDoS Malware Attacks Poorly Managed Linux SSH Servers

The ShellBot threat has turned out to be a new type of malware designed to…

1 day ago

Google to Reduce SSL Certificate Lifespan to 90 Days

Recently, Google declared its plan to reduce the maximum validity for public TLS (SSL) certificates…

2 days ago

Hackers Weaponized and Exploited Over 55 Zero-days in Microsoft, Google, and Apple

Mandiant researchers have recently reported that 55 zero-day vulnerabilities were actively exploited in 2022, most…

2 days ago