What is XSS (Cross Site Scripting)

-

XSS is client side code injection attack. the attacker aims a web page or a application and tries to execute that malicious script from that browser of the user. Mostly the websites which has comment section or forums and accepts inputs, are victim of this attack.

whenever a malicious script that are mostly written in Javascript, injected in a website or web app it will effect all those users which are visiting that website. for example if someone injects a malicious script into facebook’s comment section and we open that photo to read the comments, that code executes and we get affected either.

XSS is not user’s Problem but that vulnerable web App or website’s.

one of the malicious actions which an attacker can do with javascript is Cookie Theft by stealing a cookie an attacker may gain access to session tokens which a cookie usually stores then it could be impersonated the user.
for example: suppose you’re using netflix by providing your email and password which are stored on your browser in cookies until you logout so now the attacker successfully hijacked your cookie and open that in his browser what happens now is he can use your netflix account.

Criminals often use XSS to steal cookies. This allows them to impersonate the victim. The attacker can send the cookie to their own server in many ways.

How to Prevent XSS

Validating inputValidating input is the process of ensuring an application is rendering the correct data and preventing malicious data from doing harm to the site, database, and users. While whitelisting and input validation are more commonly associated with SQL injection, they can also be used as an additional method of prevention for XSS. Whereas blacklisting, or disallowing certain, predetermined characters in user input, disallows only known bad characters, whitelisting only allows known good characters and is a better method for preventing XSS attacks as well as others.


Escaping
Escaping data means to make sure the data which your application has received is secure before rendering it to the end users. by escaping user’s input key characters in the data received by a web page will be prevented from being interpreted in any malicious way.

Sanitization
A third way to prevent cross-site scripting attacks is to sanitize user input. Sanitizing data is a strong defense. It’s totally possible you’ll find the need to use all three methods of prevention in working towards a more secure application. Sanitizing user input is especially helpful on sites that allow HTML markup, to ensure data received can do no harm to users as well as your database by scrubbing the data clean of potentially harmful markup, changing unacceptable user input to an acceptable format.


Filtering

Filter all the data which are coming from user’s side because it may contain malicious code so these common keywords are must to be filtered<script> tag, Javascript commands, CSS styles and other dangerous html markups like Eventhandler.

Comments

Post a Comment

Popular posts from this blog

Solving Computer Forensics Case Using Autopsy

-
Image
  Computer Forensics is the well-planned series of procedures and techniques used for obtaining evidence from computer systems and storage media. This evidence can then be analyzed for relevant information that is to be presented in a court of law. This article focused on a particular case and a forensic tool to give you a ‘feel’ of what computer forensics investigations are like. However, it is in no way comprehensive enough to cover the variety of problems and complications faced by the investigator.   Scenario  A complaint was made to the authorities describing alleged Wi-Fi hacking activity. When the authorities reached the spot, they found an abandoned Dell computer which is suspected that this computer was used for hacking purposes. Schardt uses "Mr.Evil" nickname when he goes online. He is also accused of parking his car in wireless range (like Starbucks and other T-Mobile Hotspots) where he would then intercept internet traffic, attempting to get credit card numb...
Read more

Pentesting - Exploitation Guide Metasploitable 1

-
Image
Metasploitable Metasploitable is an Ubuntu 8.04 server installed on a VMWare 6.5 image with a number of vulnerable packages included, which can be run on most virtualization software. You can grab your copy at Vulnhub – Metasploitable I used Kali Linux for attacking and VirtualBox for virtualization. Information Gathering nmap is a great tool for scanning ports and finding network services on a machine. We will run nmap with the following options: -sV to probe open ports for service and version info -O to fingerprint and try to guess the operating system -p1-65535 to do a complete port scan root@kali:~# nmap -sV -O 192.168.0.14 -p1-65535 Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-12 16:46 MDT Nmap scan report for 192.168.0.14 Host is up (0.00073s latency). Not shown: 65522 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.1 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) 23/tcp open telnet Linux telnetd 25/tcp open smtp Postfix smtpd 53/tcp open...
Read more

The Main Cyber Threats Facing the Aviation Industry

-
Image
  Introduction The aviation industry, one of the most critical sectors in global transportation, is heavily dependent on interconnected technologies, which also makes it a lucrative target for cybercriminals. With each advancement in technology, there comes a new set of cyber risks that threaten the confidentiality, integrity, and availability of essential systems in the aviation ecosystem. The consequences of cyberattacks on the aviat ion industry can be catastrophic, ranging from flight delays to data breaches, physical harm to passengers, and even financial devastation for airlines and airports. As technology continues to evolve in aviation, so too do the cybersecurity challenges. In this comprehensive blog, we will explore the major cyber threats in the aviation industry and dive into best practices, standards, and risk assessments to mitigate these threats. 1. Overview of Cyber Threats in Aviation The aviation industry is complex, involving many interdependent systems such as ...
Read more