What is Cross site scripting attack

What is Cross Site Scripting Attack XSS and CSRF Crucial Terms

Cyber Attacks Cyber Security
Spread the love

What is Cross Site Scripting Attack ? Malicious scripts is injected in the code (user provided inputs) of web applications ( website, website database)

Malicious scripts are executed in web browser of victim.

  • Attack by malicious code (payload) in legitimate web applications
  • It is JavaScript vulnerability in Web applications
  • Attacker can steal active session cookie

In short Cross site scripting is called as XSS.

Possible Consequences:

  • Keystrokes of user are captured
  • Redirecting user to malicious website
  • Can crash the browser
  • Getting cookie info who login into website.

How it works?

  • Attacker need ways to run malicious JavaScript code in user/victims browser
  • Now attacker find a way to inject malicious code into the web page (vulnerable) which user visits
  • When web page load in end user browser, malicious script injected into web page executes
  • Hackers use XSS to steal cookies. They can send cookie to their own servers.
  • Attacker injects payload into website database by submitting vulnerable form with malicious JavaScript content.
  • Now end user or victim requests web page from web server
  • Victim browser executes the code in HTML body.
  • Cookie is also sent to attacker server by HTTP request

Types of  Cross scripting:

  • Reflected XSS ( Malicious scripts from HTTP request)
  • Stored XSS also called as persistent ( Malicious scripts from website database)
  • DOM based XSS ( Happens due to vulnerability in applications , client side)

What is Document Object Model (DOM)?

It is a programming interface for HTML and XML(Extensible markup language), web documents

This type of attack occurs at client side or server side?

It occurs at Client side: browser; applications, Vulnerable website

Entering scripts in login username, Blog comments

Mitigation: ( How to reduce its effect)

  • Input validation
  • Sanitization of URLS
  • Encode data

What is CSRF?

Cross site request forgery:  It  web application vulnerability, in this server does not check whether request receive from trusted or not. Whatever it comes it just process directly.

Difference between XSS and CSRF?

  • XSS just need vulnerability. CSRF need user interaction to execute the malicious script, link
  • XSS is at client side, CSRF at server side.

CSRF is also called as one click, session riding attack

Interview Questions:

What is XSS, and How you mitigate cross-site site scripting?

Answer: It is JavaScript vulnerability in Web applications. Inputs are process without getting validated.

S0 untrusted data will be stored without getting validated.

Mitigation : Input validation, CSP ( Content security policy)

Is XSS client side client-server-side attack?

Answer: Its Client side attack (web applications)

Leave a Reply

Your email address will not be published. Required fields are marked *