XSS - Cross Site Scripting

Penetrating testing with Yogesh and Abhinav

Cross-Site Scripting (XSS)
XSS Statistics and Impact
Types of XSS
- Stored XSS
- Reflected XSS
- DOM XSS
Practical Demo's

AGENDA

Why do you want to hack?

What is XSS?

"An XSS attack occurs when a script from an untrusted source is executed in rendering a page" [*]

http://appsandsecurity.blogspot.de/2012/11/is-xss-solved.html

XSS according to OWASP

"Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites"

https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

XSS Statistics

According to OWASP Top 10 2017, XSS is at #7

https://www.owasp.org/index.php/Top_10-2017_Top_10

Some STATISTICS about XSS

According to HackerOne --

Trustwave Global Security Report

How the malicious JavaScript is injected?

XSS Overview

The consequences of malicious JavaScript

XSS Attacks - Stored XSS

XSS Attacks - Reflected XSS

XSS Attacks - DOM-based XSS

Getting Bored ...

Example #1

Mission Objective

Inject a script to pop up a JavaScript alert() in the below URL

<script>alert("123")</script>

XSS Vector

https://xss-game.appspot.com/level1

Example #2

Mission Objective

Inject a script to pop up an alert() in the context of the application.

Note: the application saves your posts so if you sneak in code to execute the alert, this level will be solved every time you reload it.

https://xss-game.appspot.com/level2

Entering a <script> tag on this level will not work

Is XSS Possible?

Thank you

XSS

By Yogesh Sharma

XSS

1,434

Yogesh Sharma

yog3shsharma