Null Open Security

Community

 

Monthly-meetup

Title Text

Who Am I ?

 

Mohd Arif

 

Security enthusiast

VAPT

Free time bug bounty hunter

 

Twitter: @Zero0x00

 

Email: zero0x00@protonmail.com

 

Presentation: Cross site scripting

Text

What is XSS ?

  • Cross Site  Scripting                                                                
  • It is a Computer security vulnerability typically found in web applications.                                                                                
  • It is consider as one of the top 10 OWASP web-application vulnerability

XSS breif intro !

 

 

 

Cross-site scripting occurs when an attacker is able to insert untrusted data/scripts into a web page. The data/scripts inserted by the attackers get executed in the browser can steal users data, deface websites etc.

Impact of XSS

 

 

 

  • Cookie theft
  • Keylogging
  • Phishing
  • URL Redirection

Types of XSS

 

  • Reflected XSS
  • Stored XSS
  • Dom-based XSS

Reflected XSS

 

 

Reflected attacks are those where the injected script is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request

Stored XSS

 

It Occurs in Places Where a Malicious User input Containing XSS Vector is stored or "saved". Thus It may (happens mostly..) cause Multiple User to be affected.

 

 

Dome-based XSS

 

DOM-based XSS attack, the malicious data does not touch the web server. Rather, it is being reflected by the JavaScript code, fully on the client side

How to hunt XSS

 

1.Find a input parameter & give any input

(if reflected or stored then it may have XSS bug)

 

2.Try to execute any java script there, if      executed then there is XSS.                      

 

3.Exploitation of XSS                                     

Time for practical session

 

practice over online XSS lab

 

 

  • http://testphp.vulnweb.com/
  • http://leettime.net/xsslab1/

 

Thank-You

AS

Any Question ??

Made with Slides.com