• Background concept about cross site scripting with examples

    Background Concept About Cross Site Scripting ( XSS ) With Examples

    Now we are going to talk about XSS cross site scripting. XSS Vulnerabilities are among the most wide spread wab application vulnerabilities on the internet. 

    Cross-site-scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicous code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur antwhere a web application uses input from a user within the output  it generates without validating or encoding it. Background concept about cross site scripting with examples

    An attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browsers has no way to kmow that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens or, other sensitive information retined by the browser and used with that site. cross site scripting with examples

    It's refer to client side injection attack where an attacker can execute malicious scripts into a legitimate website or web application.  By leavrging a cross site scipting, an attacker doesn't target the victim directly instead an attacker would exploit a vulnerability within a web applications or websites that the victim would visit essentially using the vulnerable website as a vehicle the deliver the malcious script to the victim's browser. basicallly we will use a website to deliver our payloads to the victime, when victim visit into that they paylaod are will executed and the payload will to our job, payload can be malicious, payload can be simple whatever. xss examples

    Let's talk about impact of XSS

    1) Cookie theft
    2) Keylogging
    3) Phishing
    4) URL Redirection

    cross site scripting can be used to a part of URL redirection. Cookies stealing, Keylogging, Phishing etc.

    so, in order to run our javascript malicious script in a victim's browser, an attacker must first find a way to inject a payload into web page. That's the victim visit. 

    for exploitation, attacker can used social engineering way such as email, click jacking to manipulate user for executation to our payload.

    Let's talk about the Types of XSS...

    Mainly cross site scriptings are parts of three types :-

    1) Reflected XSS
    2) Stored XSS
    3) DOM-based XSS

    Reflected XSS or  Stored XSS 

    It's a most common types of Cross site scripting, attacker payload script has to be part of the request which is send to the website an reflect back in such as a way that the HTTP response includes that the payload.

    so, basically reflected cross site scripting are required client site interaction, if user will visit that the vulnerable web page and server will deliver our paylaod to the users browse here, then user stored this but server want any payload,we will deliver our paylaod to the client browser and if client visiting that then there's a client side attacks. sql injection cheatsheet

    DOM Based XSS :-

    it's a advance type of cross site scripting attack, which be made possibly when the web application client site scripting writes user provides a data into a document objects model. The Most dangerous parts of this attack is client side attacks. how to prevent from sql injection

    In the attacker's payload is never sent to the server, this makes it will more to detect web application firewall and security engineers.

    so basically let's take example of Reflected, stored and DOM through practially,

    This is a website testphp.vulnweb.com

    So we will type something in the search box like Hello or HackingTruth.in and hit go button...

    so it's a reflected but not stored, it's not storing..
    so there may be reflected cross site scripting.

    Now. let's click on the signup option and you can try withlogin based application and if i will give a any text like kumaratuljaiswal.in


    if i will give any parameter like hello



    and just executing to the user's context, nor the server side to the sever application, then there may be DOM based...

    Example this


    this is not sending to the server there are executing to the our context, if i will give anypayload there and it will execute then this is called DOM based scripting. cross site scripting how to prevent

    see this

    so just only executing on the user's script, nor the server side  nor to the client side.

    How to Hunt for XSS ?

    • Find a Input parameter, Give any input there and not senitizer then If your input reflect or stored any where there may be XSS.
    • Try to execute any javascript code there, if you succeed to execute any javascript then there is a XSS
    • Exploitation of XSS.

    you'll find a input parameter then give input there , if your input reflect or stored anywhere there may be cross site scripting. cross site scripting example

    XSS Cheatsheet Here :- Click Here 

    I hope its clear to about The Background concept of cross site scripting :-)


    This was written for educational purpose and pentest only.
    The author will not be responsible for any damage ..!
    The author of this tool is not responsible for any misuse of the information.
    You will not misuse the information to gain unauthorized access.
    This information shall only be used to expand knowledge and not for causing  malicious or damaging attacks. Performing any hacks without written permission is illegal ..!

    All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.

    All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.

    - Hacking Truth by Kumar Atul Jaiswal

    Video Tutorial :-  SooN


    I hope you liked this post, then you should not forget to share this post at all.
    Thank you so much :-)


    Post a Comment

    For Any Tech Updates, Hacking News, Internet, Computer, Technology and related to IT Field Articles Follow Our Blog.