What is Cross- site scripting?
Cross- Site Scripting is a type of vulnerability commonly found in web applications. In XSS attacks, a malicious actor injects malicious scripts, typically JavaScript, into web pages By client- side. These scripts can then execute in the context of the victim’s browser, allowing the attacker to steal session tokens, logs keystrokes.
What are the types of XSS Attacks?
There are mainly three types of XSS attacks:-
- Reflected XSS :- the Injected Script is Reflected on web Browser.
- Stored XSS :- The injected payload is stored on the target server, such as in a database, and then served to other users who access the affected Website page.
- DOM-Based XSS:- This vulnerability exists in the client-side code and the server-side code. The malicious script is injected into the DOM (Document Object Model) and executed when certain client-side conditions are meet.
Impact of XSS:-
Impact of XSS generally depends on severity of the vulnerability exists on the website.:-
- 1. Attackers can steal sensitive information such as login credentials, session cookies, personal data, and other confidential information stored in cookies or within the web application.
- 2. By stealing session cookies or login credentials through XSS attacks, attackers can gain unauthorized access to user accounts.
- 3. XSS attacks are used to deface websites by injecting malicious scripts that modify the appearance or content of web pages.
- 4. Attackers can use XSS to modify data displayed on web pages, leading to data corruption, falsification, or manipulation of user input.
Portswigger Labs walkthrough
- Reflected XSS into HTML context with nothing encoded
Solution:-
- 1. I notice that there is a search box . Let’s try to test it
- 2. I will try hello and you can see it is reflected in the page source
- 3. there is no filter so try our payload <script>alert(1)</script>
Lab solved
