Skip to content

Cross Site Scripting (XSS)

May 1, 2011

Till date 12 % of web security is compromised using the method of Cross site scripting. Cross site scripting denoted by XSS, still there are few people who denote it by CSS and also by HTML injection. It is a vulnerability that allows an attacker to send malicious code which may be in the form of java script, VB script, Active X, flash or html into a vulnerable application to fool a user in order to gather data from them, steal session, cookie values and take over the account, impersonating the user and even modify the content of the page presented to the user.

Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.

Few examples of xss

  • “><script >alert(document.cookie)</script>
  • %253cscript%253ealert(document.cookie)%253c/script%253e
  • “><s”%2b”cript>alert(document.cookie)</script>
  • “><ScRiPt>alert(document.cookie)</script>
  • “><<script>alert(document.cookie);//<</script>
  • foo%00<script>alert(document.cookie)</script>
  • <scr<script>ipt>alert(document.cookie)</scr</script>ipt>

Types of Cross site scripting (XSS)

  1. Non-persistent XSS or Reflected XSS
  2. Persistent XSS or  Stored XSS
  3. DOM-based XSS

There are various other ways XSS. Since 12 % of total web hacking is done using XSS we must be very careful with XSS. A small effort from us can prevent us from XSS

For cheat sheet Refer

Hackers.org  http://ha.ckers.org/xss.html

Anautonomouszone.com http://anautonomouszone.com/blog/xss-cheat-sheet

Advertisements
Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: