XSS - Cross Site Scripting

Penetrating testing with Yogesh and Abhinav 

  • Cross-Site Scripting (XSS) 
  • XSS Statistics and Impact 
  • Types of XSS 
    • Stored XSS
    • Reflected XSS
    • DOM XSS 
  • Practical Demo's

AGENDA

Why do you want to hack?

What is XSS?



"An XSS attack occurs when a script from an untrusted source is executed in rendering a page" [*]

http://appsandsecurity.blogspot.de/2012/11/is-xss-solved.html

XSS according to OWASP



"Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites"



https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)


XSS Statistics

According to OWASP Top 10 2017, XSS is at #7

https://www.owasp.org/index.php/Top_10-2017_Top_10

Some STATISTICS about XSS

According to HackerOne --

Trustwave Global Security Report

  • How the malicious JavaScript is injected?​

XSS Overview

 

  • The consequences of malicious JavaScript

XSS Attacks - Stored XSS

XSS Attacks - Reflected XSS

XSS Attacks - DOM-based XSS

Getting Bored ...

Example #1

Mission Objective

Inject a script to pop up a JavaScript alert() in the below URL

<script>alert("123")</script>

XSS Vector

https://xss-game.appspot.com/level1

Example #2

Mission Objective

Inject a script to pop up an alert() in the context of the application.

Note: the application saves your posts so if you sneak in code to execute the alert, this level will be solved every time you reload it. 

https://xss-game.appspot.com/level2

Entering a <script> tag on this level will not work

Is XSS Possible?

Thank you

Made with Slides.com