What is Cross site scripting or XSS?
XSS is ranked among the top 3 Web App Vulnerabilities in OWASP.
It is basically the injection of Scripts that run on the web, JavaScript(JS).
The Scripts are called the Payloads. For example, alert(document.domain) or any inline scripts like <img src=x onerror = alert("XSS exists")>
What's the use of XSS?
Well, you could steal the cookies of other users. What are Cookies? Cookies are small piece of data that is sent by the server of the Web Application so that it may know you are an authenticated user.
Here is an example of the alert box of the executed JS code.
I injected an inline script that you see it as a broken image. Now you Click on the image -->
Did your browser prompt an alert box?
Yes.... the script is executed.
If you could execute the script you entered. You could inject your own piece of JS scripts inside the web Apps and could do anything with the user account like sending a friend request on facebook or delete an email. Basically you own the entire account of the user or your GIRLFRIEND's ๐ฉ๐.
How to exploit?
1. Inject the JS codes in the Input fields you find.
2. Replace the values of the parameter in URL with the XSS Payloads
If you inject the payload and seems that it got executed you would see an alert box prompted by your browser.
XSS is ranked among the top 3 Web App Vulnerabilities in OWASP.
It is basically the injection of Scripts that run on the web, JavaScript(JS).
The Scripts are called the Payloads. For example, alert(document.domain) or any inline scripts like <img src=x onerror = alert("XSS exists")>
What's the use of XSS?
Well, you could steal the cookies of other users. What are Cookies? Cookies are small piece of data that is sent by the server of the Web Application so that it may know you are an authenticated user.
Here is an example of the alert box of the executed JS code.
I injected an inline script that you see it as a broken image. Now you Click on the image -->
Did your browser prompt an alert box?
Yes.... the script is executed.
If you could execute the script you entered. You could inject your own piece of JS scripts inside the web Apps and could do anything with the user account like sending a friend request on facebook or delete an email. Basically you own the entire account of the user or your GIRLFRIEND's ๐ฉ๐.
How to exploit?
1. Inject the JS codes in the Input fields you find.
2. Replace the values of the parameter in URL with the XSS Payloads
If you inject the payload and seems that it got executed you would see an alert box prompted by your browser.
Comments
Post a Comment