Here i am posting some usefull information
XSS:
Cross Site Scripting (abbrivated as XSS) is a web application vulnerability that allows attackers to execute external JavaScript and VBScript code on a web application. By taking the advantage of this, attacker can cause a web page to execute a malicious code on any user's browser. Most popular use of this attack is cookie stealing that can cause session hijacking. The malicious code could provide a hacker with full Read/Write access to browser cookies, browser history files, or even permit the download/installation of malware.
How to find XSS in a website?
XSS is performed as a form of user input. If a website does not filter and sanitize user input properly. To test a website, we will take each place in a website that accepts user input (such as search forms, login forms, profile forms etc.) Now enter the following codes one by one and see whether it shows a pop up box saying* 'XSS' or not
XSS Payloads:
1. <script>alert('U r hacked')</script>
2. <script>alert(/U r hacked/)</script>
3. “><script>alert(/U r hacked/)</script>
4. “>><script>alert(/U r hacked/)</script>
5. '></style><script>alert(/U r hacked/)</script>
6. '></script><script>alert(/U r hacked/)</script>
7. <b onmouseover=alert('u r hacked')>click me!</b>
8. <img src=”0” onerror=alert(document.cookie);>
If you are successful in getting a pop-up, you have found a XSS vulnerable website.
Types of XSS:
1. Non-persistent or Reflected XSS:
Non-persistent XSS is a most common type of XSS. In which injection codes are are reflected off the browser. Websites's search form is the example of this. When we search *in a website. Website shows the search results with the query. If we inject a code in place of query, it will execute the query where it has to display the query in the search results page.
2. Persistent or Stored XSS Attacks:
Persistent or Stored attacks are those where the injection code is permanently stored in the website's database. The page that shows the database information will execute the stored code
3. DOM based XSS or type-0 XSS:
DOM based XSS or type-0 XSS is an attack in which attack payload is executed as a result of modifying the DOM of a website. In this the page remains the same but malicious injection is executed by modifying the dom.
XSS:
Cross Site Scripting (abbrivated as XSS) is a web application vulnerability that allows attackers to execute external JavaScript and VBScript code on a web application. By taking the advantage of this, attacker can cause a web page to execute a malicious code on any user's browser. Most popular use of this attack is cookie stealing that can cause session hijacking. The malicious code could provide a hacker with full Read/Write access to browser cookies, browser history files, or even permit the download/installation of malware.
How to find XSS in a website?
XSS is performed as a form of user input. If a website does not filter and sanitize user input properly. To test a website, we will take each place in a website that accepts user input (such as search forms, login forms, profile forms etc.) Now enter the following codes one by one and see whether it shows a pop up box saying* 'XSS' or not
XSS Payloads:
1. <script>alert('U r hacked')</script>
2. <script>alert(/U r hacked/)</script>
3. “><script>alert(/U r hacked/)</script>
4. “>><script>alert(/U r hacked/)</script>
5. '></style><script>alert(/U r hacked/)</script>
6. '></script><script>alert(/U r hacked/)</script>
7. <b onmouseover=alert('u r hacked')>click me!</b>
8. <img src=”0” onerror=alert(document.cookie);>
If you are successful in getting a pop-up, you have found a XSS vulnerable website.
Types of XSS:
1. Non-persistent or Reflected XSS:
Non-persistent XSS is a most common type of XSS. In which injection codes are are reflected off the browser. Websites's search form is the example of this. When we search *in a website. Website shows the search results with the query. If we inject a code in place of query, it will execute the query where it has to display the query in the search results page.
2. Persistent or Stored XSS Attacks:
Persistent or Stored attacks are those where the injection code is permanently stored in the website's database. The page that shows the database information will execute the stored code
3. DOM based XSS or type-0 XSS:
DOM based XSS or type-0 XSS is an attack in which attack payload is executed as a result of modifying the DOM of a website. In this the page remains the same but malicious injection is executed by modifying the dom.
0 comments:
Post a Comment