πŸ‘¨β€πŸ’»
Jawad's Notes
  • πŸ‘¨β€πŸ«INFOSEC
    • πŸ•ΈοΈWeb
      • Burp Suite: Setting Foxyproxy
      • XSS
      • Wappalyzer
      • Directory Traversal
      • LFI
        • PHP Wrappers
        • RFI
      • Reverse Shell
        • Command Injection Quick Tips
      • File Upload
      • WPScan
      • SQL Injection
        • Schemas
        • SQLmap
        • MSSQL
        • MySQL
        • PostgreSQL
    • πŸ”§Tools
      • Whois
      • DNSRecon
      • DNSenum
      • nslookup
      • Netcat
        • Powercat
      • Nmap
        • Nmap Scripting Engine
        • Test-NetConnection
        • Grep
      • Server Message Block (SMB)
      • SNMP
      • SMTP
      • ExifTool
      • Search Engine Hacking
      • Source Control Hacking
      • Nessus
      • Canarytokens
      • Qualys SSL Server Test
      • Security Headers
      • theHarvester
      • Shodan
      • Gobuster
        • Dirb
      • Searchsploit
      • Password Cracking
        • Hashcat
        • John The Ripper
        • Hydra
        • hashID
        • CPU vs GPU
    • 🐧Linux
      • Symbols
      • cat
      • curl
      • openvpn
      • tcpdump
      • Remote Desktop
      • SmbShare
      • Tmux
      • Convert Windows-style line endings (CRLF) to Unix-style (LF)
      • SSH
    • πŸ–₯️Macros in Office
    • 🍎Enhancing Your MacOS Terminal Experience
    • 🚩CTF
      • SQL Injection
        • WHERE clause allowing retrieval of hidden data
        • Allowing login bypass
        • UNION attack, determining the number of columns returned by the query
        • UNION attack, finding a column containing text
        • UNION attack, retrieving data from other tables
        • UNION attack, retrieving multiple values in a single column
        • Querying the database type and version on Oracle
Powered by GitBook
On this page
  1. INFOSEC
  2. Web

XSS

PreviousBurp Suite: Setting FoxyproxyNextWappalyzer

Last updated 1 year ago

Cross-Site Scripting (XSS) is a security vulnerability in web applications where attackers inject malicious scripts into web pages viewed by other users. There are three main types of XSS:

  1. Stored XSS:

    • Malicious scripts are permanently stored on the target server, impacting all users who view the affected page. Example: Attacker injects a script into a comment on a website, and anyone viewing that comment becomes a victim.

  2. Reflected XSS:

    • Malicious scripts are embedded in a URL and only affect users who click on a specially crafted link. Example: Attacker sends a phishing email with a link containing a script, and users who click on the link inadvertently execute the script.

  3. DOM-based XSS:

    • The attack occurs in the Document Object Model (DOM) of a web page. Malicious scripts manipulate the DOM, leading to undesired outcomes. Example: Attacker injects a script that modifies the page's content directly through client-side scripting.

Preventing XSS involves input validation, output encoding, and implementing security mechanisms like Content Security Policy (CSP) to mitigate the risk of script injection attacks.

Resources:

πŸ‘¨β€πŸ«
πŸ•ΈοΈ
https://owasp.org/www-community/attacks/xss/
https://en.wikipedia.org/wiki/Secure_cookie
https://en.wikipedia.org/wiki/Session_(computer_science)
https://en.wikipedia.org/wiki/HTTP_cookie
https://www.youtube.com/watch?v=bkDIdVNbLNI