Ethical Hacking - Cross-Site Scripting
These attacks also can gather data from account hijacking, changing of user settings, cookie theft/poisoning, or false advertising and create DoS attacks.
Let’s take an example to understand how it works. We have a vulnerable webpage that we got by the metasploitable machine. Now we will test the field that is highlighted in red arrow for XSS.
First of all, we make a simple alert script
<script> alert(‘I am Vulnerable’) </script>
It will produce the following output −
Types of XSS Attacks
XSS attacks are often divided into three types −
Persistent XSS, where the malicious string originates from the website's database.
Reflected XSS, where the malicious string originates from the victim's request.
DOM-based XSS, where the vulnerability is in the client-side code rather than the server-side code.
<script> alert('XSS') </script>
Burp Suite and acunetix are considered as the best vulnerability scanners.
To prevent XSS attacks, keep the following points in mind −
Check and validate all the form fields like hidden forms, headers, cookies, query strings.
Implement a stringent security policy. Set character limitation in the input fields.