Created
May 6, 2020 04:36
-
-
Save chetkhatri/ddc4aaee741d4acbac148e5b307d4c19 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
XSS alone doesn't do much damage, but it can easily be combined with other techniques to form powerful attack vectors. A few possibilities are: | |
session hijacking - Often, session cookies can be read from Javascript. Through XSS, a script can be mounted that reads a user's session ID and passes it back to the attacker (a simple yet effective method is to add an img element to the DOM, where the URL of the image carries the session ID); the attacker can then hijack an authenticated session by putting the session ID into their own session cookie. | |
scraping sensitive information - If a page with an XSS vulnerability contains sensitive information, and send it to the attacker (just like the session cookie). | |
posting data on someone else's behalf - Through XSS, a form submit can be intercepted and modified, or even triggered, posting data without the user's consent. For example, if you can compromise a web mail client, you could hijack the 'send' button to add yourself to the list of recipients. | |
malicious redirecting - An XSS script can alter the URLs of any link on the page. This can be abused to, for example, send the user to a spoofed login page; instead of actually logging in, they are sending their credentials to the attacker. | |
social engineering - By inserting error messages, alerts, etc., you can trick users into all sorts of insecure behavior. For example, an attacker could prompt users to download and open a certain file; if the site that asks them to do so has a high level of trust with the user, chances are they will uncritically execute anything, which allows for mounting trojans and other malware. | |
Also note that many attack vectors work without the user consciously opening the compromised page: often, the compromised page is put into an invisible iframe somewhere else, such as a forum that the victim is likely to visit, or a page linked from yet somewhere else. | |
There are two aspects: | |
An XSS vulnerability allows the attacker to do anything, the victim is allowed to do with the system. If the victim is a member of the staff, it is likely that he or she has access to personal information such as e-mail addresses or bank details. Furthermore such accounts may be allow to modify content and replaces it with inappropriate statements or browser exploits. | |
A successful hack may result in extremely bad press coverage. This may be far worse than the direct damage. | |
In the majority of XSS attacks, the attacker will try to hijack the user’s session by stealing their cookies and session tokens, or will use the opportunity to spread malware and malicious JavaScript. | |
Escape characters from rendering | |
Regex in input validation | |
a good rule of thumb is to then escape any and all HTML, URL, and JavaScript entities | |
Input is always an evil, you can't trust the user. | |
Sanitizing input from unacceptable Input to acceptable input | |
CSRF: Client side request forgery | |
Steal cookie and session-id, by using that perform any action on that user's behalf which might be unauthenticated in the database etc. without their concern, approval, and making them unaware that attack is being taken care. | |
JavaScript is not allowed to send any information to any other domain because of same origin policy. | |
`active-session-coockie` is dangerous. | |
http://w3af.org/ use this for Web Application attack and audit framework. | |
You can send a melicious email with link to delete some activity | |
When user is logged in the application and session-id cookie is active, email phising can be done easily. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment