Ethical Hacking - Cross Site Scripting

Cross-Site Scripting

A code injection attack facilitating an attacker to execute malicious JavaScript in another user’s browser is called as Cross-site scripting (XSS).

A vulnerability is exploited in the website visited by a victim, such that the website to deliver the malicious JavaScript, which appears as a legitimate part of the website by the victim, and the website is used to act as an unintentional accomplice to the attacker. The attacks are done by using HTML, JavaScript, VBScript, ActiveX, Flash, but the most used XSS is malicious JavaScript.

Cross-Site Scripting

Also by hijacking the accounts, changing user settings, and poisoning the cookie, false advertising and by creating Dos attacks, the attacker can gather data.

Example

  • Metasploitable

For instance, a vulnerable website which is got by metasploitable machine is taken. The field highlighted in red arrow for XSS is tested.

Initially a simple alert script is created


               <script>       
                  alert(‘I am Vulnerable’);
               </script>

Types of XSS Attacks

XSS attacks are divided into three types −

  • Persistent XSS - where the malicious string originates from the website's database.
Persistent XSS
  • Reflected XSS - where the malicious string originates from the victim's request.
Reflected XSS
  • DOM-based XSS - where the vulnerability is in the client-side code rather than the server-side code.
DOM-based XSS

Usually cross-site scripting is identified by the vulnerability scanners enabling them to avoid

           <xmp>
              <script>  
                alert('XSS') 
              </script>
           </xmp>

doing all the manual job by putting JavaScript on the like.

The best vulnerability scanners are Burp Suite and acunetix.

Quick Tip

Some of the tips to prevent XSS attacks are −

  • All the form fields like hidden forms, headers, cookies, query strings need to be checked and validated.
  • A stringent security policy needs to be implemented. Set character limitation in the input fields.