Cross Site Scripting as its called :) is a form of web vulnerability solely relying on scripts and scripting languages e.g javascript, HTML5 e.t.c
Some examples of exploitation include:
- injecting a fake login form;
- retrieving legitimate users' cookies;
- injecting browser's exploits;
- getting users to perform an arbitrary action in the web application;
and tonnes more....
a simple XSS would look like such <script>alert(1);</script> when injecting on a html form... on a url it may be as such :
http://urvulnerablewebsite-app.domain/xss/example.php?name=<script>alert(1);</script>
how dangerous is this? well... here is a simple calculation ...
XSS in url encoded format is hardly noticable to any viewer(looks like a normall url)
the above link (leave the sex tape outta this) unlike the other one has less <script> tags and contains more of the url encoded while it simply loads on a webpage without any immediate effect till you hover your mouse on the page :) !!! and whats the worst that can happen owwww i donno maybe .... fake login page injection (social sites , online bank) retrive legitimate user cookies from your browser :) ... get you to perform arbitrary actions on the web app without your consent (well your knowing consent)
more about this attack can be found here where theres a cheat sheet OWASP XSS cheet sheet also on its evasion and even more on how to protect yourself ... PEACE... am out
more about this attack can be found here where theres a cheat sheet OWASP XSS cheet sheet also on its evasion and even more on how to protect yourself ... PEACE... am out
No comments:
Post a Comment