XSS - Cross Site Scripting
Penetrating testing with Yogesh and Abhinav
- Cross-Site Scripting (XSS)
- XSS Statistics and Impact
- Types of XSS
- Stored XSS
- Reflected XSS
- DOM XSS
- Practical Demo's
AGENDA
Why do you want to hack?
What is XSS?
"An XSS attack occurs when a script from an untrusted source is executed in rendering a page" [*]
XSS according to OWASP
"Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites"
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
XSS Statistics
According to OWASP Top 10 2017, XSS is at #7
Some STATISTICS about XSS
According to HackerOne --
Trustwave Global Security Report
-
How the malicious JavaScript is injected?
XSS Overview
-
The consequences of malicious JavaScript
XSS Attacks - Stored XSS
XSS Attacks - Reflected XSS
XSS Attacks - DOM-based XSS
Getting Bored ...
Example #1
Mission Objective
Inject a script to pop up a JavaScript alert() in the below URL
<script>alert("123")</script>
XSS Vector
Example #2
Mission Objective
Inject a script to pop up an alert() in the context of the application.
Note: the application saves your posts so if you sneak in code to execute the alert, this level will be solved every time you reload it.
Entering a <script> tag on this level will not work
Is XSS Possible?
Thank you
XSS
By Yogesh Sharma
XSS
- 1,453