Hello everyone!Today we are going to cover some basics about a common vulnerability found in web applications.
Due to this, a user (attacker) can inject a (client-side) script into the web page.
Interesting? then…carry on reading..
But, what is Cross-site scripting (XSS) ?
XSS is an attack technique which allows (or rather I should say, “forces”) a web site to execute and display malicious code on a user’s web browser.
The intended victim of an attacker is a user and not the server. The server is a just a host while the malicious code executed is on that user’s (victims’s) web browser.
Attacker uses the server just to perform the attack.
So, what is the exploit code for this kind of attack?
Generally, the code is written in JavaScript (a JavaScript malware?) or it could simply be in HTML, executed on a user’s web browser! (These two are most commonly used)
Let us now try understanding this with an example:
Consider http://xss_vulnerable.com/ is a site vulnerable to XSS attack.
An attacker first needs to identify and locate this vulnerability. After this, he can perform many acts including
- Account hijacking
- Cookie stealing
- Intranet hacking
- History stealing
- even..keystroke recording and much more..
A simple search box for providing user input and then displaying the results accordingly
Now, what if we replace our input? with a javascript/html code?
Lets try injecting a simple alert box,
And the end result is…
By looking at the source code of the page
we can cleary see, our input was injected into that web page and executed an harmless alert dialog box.
An attacker can now perform much advanced XSS attacks to exploit users (cookie stealing, etc) and spread that link.
Most users fall for this attack as the URL contains the REAL web site domain name.
So, these were some basics about Cross-site scripting (XSS) attack. Hope you all have enjoyed this small post.
Stay tuned for more posts regarding various XSS categories (Non-persistent, persistent and DOM-Based), preventing XSS attacks, etc
0 comments:
Post a Comment