Cross site scripting which is commonly known as XSS, is a very simple vulnerability found in Web Applications, XSS allows the attacker to RUN a malicious code on the website. Here I am sharing the complete guide to XSS cross site scripting. There are few types of XSS attacks, I will write about the major 3 of them. XSS vulnerability allows attacker to inject some code into the web apps affected in order to bypass security access to the website or to trap the user’s info and cookie stealing. This technique can be used for many purposes like cookie stealing, website hacking, user’s manipulation and many more things attacker can play with it.
Complete Guide to XSS Cross Site Scripting
There are major 3 types of XSS cross site scripting, commonly named as:
- Non-persistent XSS attack
- Persistent XSS attack
- DOM-based XSS attack
Non-Persistent XSS Attack
The non-persistent XSS are actually the most commons vulnerabilities that can be found on the internet used for hacking. It’s commonly named as “non-persistent” because it works on an immediate HTTP response from the victim website. It show up when the web page get the data provided by the attacker’s client to automatically generate a result page for the attackers himself. Standing on this the attacker could provide some malicious code and try to make the server execute it in order to obtain some result.
The most common applying of this kind of vulnerability in search box of website, the attacker writes some arbitrary HTML code in the search search box and, if the website is vulnerable, the result page will return the result of these HTML entities.
Persistant XSS Attack
The persistent XSS vulnerabilities are similar to the non-persistent XSS, because both works on a victim site and tries to steal user’s information. There’s the only difference in both of them, is that websites vulnerable to Persistent XSS the attacker doesn’t need to provide the crafted URL to the users, because the website itself permits to users to enter fixed data into the system like comment boxes. Usually the users uses that kind of tool to leave messages to the owner of the website and at a first look it doesn’t seems something dangerous, but if an attacker discover that the system is vulnerable can insert some malicious code in his message and let ALL visitors to be victim of that.
This works when the technique works when the system that we used for this attack doesn’t do any check on the content of the inserted message: it just inserts the data provided from the user into the result page.
DOM-Based XSS Attack
The DOM-Based Cross-Site Scripting allow to an attacker to work not on a victim website but on a victim local machine: the various operative system usually includes “since born” some HTML pages created for differents aims, but as long as the humans do mistakes this HTML pages often can be exploited due to code vulnerabilities.
The DOM-Based XSS exploits these problems on users local machines in this way:
– The attacker creates a well built malicious website
– The ingenious user opens that site
– The user has a vulnerable page on his machine
– The attacker’s website sends commands to the vulnerable HTML page
– The vulnerable local page execute that commands with the user’s privileges on that machine.
– The attacker easily gain control on the victim computer.
This is the only complete guide to XSS cross site scripting. This doesn’t comply to any sort of attack demonstration. You can follow XSS hacking methods and how to hack with XSS in this article.
Note: Use Virtual Machine and scan on VirusTotal before downloading any program on Host Machine for your privacy.