Ethical Hacking - Cross Site Scripting
Also by hijacking the accounts, changing user settings, and poisoning the cookie, false advertising and by creating Dos attacks, the attacker can gather data.
For instance, a vulnerable website which is got by metasploitable machine is taken. The field highlighted in red arrow for XSS is tested.
Initially a simple alert script is created
alert(‘I am Vulnerable’);
Types of XSS Attacks
XSS attacks are divided into three types −
- Persistent XSS - where the malicious string originates from the website's database.
- Reflected XSS - where the malicious string originates from the victim's request.
- DOM-based XSS - where the vulnerability is in the client-side code rather than the server-side code.
Usually cross-site scripting is identified by the vulnerability scanners enabling them to avoid
The best vulnerability scanners are Burp Suite and acunetix.
Some of the tips to prevent XSS attacks are −
- All the form fields like hidden forms, headers, cookies, query strings need to be checked and validated.
- A stringent security policy needs to be implemented. Set character limitation in the input fields.