More

    Cross Site Scripting Explained. HACK Websites with XSS attack!

    - Advertisement -

    Cross site scripting, If I tell you guys that one can hack websites with just HTML and javascript, will you believe that? But yes, one can use HTML and javascript to hack a website, which is possible through cross-site scripting attacks or, in short, XSS attacks. And in these attacks, javascript is commonly used.

    So what is an XSS attack?

    what is cross site scripting

    What is Cross Site Scripting / XSS?

    Cross-site scripting or XSS is a most common web vulnerability that allows hackers to inject malicious code into websites with just a web browser. One Real-life example is the XSS attack on the popular game Fortnite in 2019, allowing hackers to access all Fortnite users’ data.




    How Cross Site Scripting attack works?

    how cross site scripting works

    When we visit a website, we send a request to the website to access the requested data, and then the response is displayed in our web browser. In cross-site scripting attacks, attackers inject malicious code into the website. After that, according to the type of cross-site scripting attack performed, malicious code is sent to the victim or stored on the website. And then, when someone visits the website, that malicious script gets executed on the visitor’s device.

    In simple words, in a cross-site scripting, the attacker tries to find a place in the website where he can inject his malicious code to steal cookies, redirect visitors to a non-friendly site or steal confidential information or any other objectives.




    how xss attack works

    The most common location where attackers insert their malicious code on websites is search fields, input fields like the form of the website or comments section, or any page that displays user-supplied data.

    Types Of Cross Site Scripting Attacks

    So, according to where and how a hacker puts malicious code on websites, there are mainly three types of cross-site scripting attacks.

    • Reflected XSS attack
    • DOM-based XSS attack
    • Stored XSS attack
    - Advertisement -

    For practicing XSS attacks and other attacks: Easily Install bWAPP in Linux For Web Hacking!

    Reflected XSS attack

    In Reflected XSS, malicious code from a user request gets displayed to the user in the web browser, and that malicious code does not get stored on the website.

    A simple Reflected XSS attack scenario is that the attacker sends a malicious URL to the victim, the victim clicks on the link, and malicious code embedded in the URL gets executed.

    That malicious script steals the victim’s session cookies or confidential information and sends it back to the attacker. Since real attackers don’t use the alert function in their javascript code, the victim will not even realize that the attack has occurred.




    DOM-based XSS attack

    Next is a DOM-based XSS attack in which the attacker uses DOM, i.e., Document Object Model, to inject malicious code onto the website. A DOM-based XSS attack is another form of a Reflected XSS attack. Both of these attacks get triggered by sending a link with inputs that are reflected in the browser.

    The difference between DOM-based XSS attacks and reflected XSS is that, with DOM, the malicious code will never go to the server. The victim’s browser will process it after the original website is loaded.




    Now the third main type of XSS attack is

    Stored XSS attack

    As we saw in the reflected XSS attack and DOM-based XSS attack, the malicious code never gets stored on the website. But in a stored XSS attack, the malicious code gets stored on the web server, affecting everyone who visits that page or link. So stored XSS attack is the most dangerous as it affects everyone visiting that webpage or link.

    - Advertisement -

    For practical examples of these attacks, make sure to watch the video given below:

    - Advertisement -

    Recent Articles

    1 Comment

    Leave A Reply

    Please enter your comment!
    Please enter your name here