Bienvenue sur Scribd !

Cross Site Scripting

Transféré par

0% ont trouvé ce document utile (0 vote)

115 vues15 pages

Cross Site Scripting (XSS) is a type of injection attack where malicious scripts are injected into otherwise benign and trusted websites. XSS has been a top web application vulnerability since 1996. There are three main types of XSS attacks: reflected XSS, stored XSS, and DOM-based XSS. Reflected XSS occurs when malicious scripts come from URLs, while stored XSS happens when scripts are stored on websites. XSS can be used to steal cookies and sessions, redirect users, alter content, and harm a website's reputation. Developers can prevent XSS through input validation, output encoding, and using the HttpOnly flag.

Description originale:

PDF about Cross site scripting

Copyright

Formats disponibles

PDF, TXT ou lisez en ligne sur Scribd

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Signaler ce document

Droits d'auteur :

Formats disponibles

Téléchargez comme PDF, TXT ou lisez en ligne sur Scribd

Signaler comme contenu inapproprié

0% ont trouvé ce document utile (0 vote)

115 vues15 pages

Cross Site Scripting

Transféré par

Droits d'auteur :

Formats disponibles

Téléchargez comme PDF, TXT ou lisez en ligne sur Scribd

Signaler comme contenu inapproprié

Passer à la page

Vous êtes sur la page 1sur 15

Rechercher à l'intérieur du document

Cross Site Scripting

Badrish Dubey
badrish007@gmail.com
securetechpoint.blogspot.in
INTRODUCTION
 XSS was firstly discovered around 1996 and is still in the top
ten vulnerability list for the web applications
 Rated 2nd in OWASP (Open Web Application Security
Project) TOP 10
 8th in the list of threat classification v2.0 for WASC (Web
Application Security Consortium)
 Grouped under client side ATTACK
What XSS can do!!!!
 Stealing cookies, this is also known as Session Hijacking.
 Redirecting the users to another websites.
 Displaying completely different contents on your website.
 Performing port scans of the customer’s internal network, which
may lead to a full intrusion attempt.
 Denting the REPUTATION and GOODWILL of the organization.
 Can lead Huge PENALITY AMOUNT which can affect the
continuity of business
Different flavors of XSS

1. Reflected Cross Site Scripting (Non Persistence)

2. Stored Cross Site Scripting (Persistence)
3. DOM based Cross Site Scripting

In rest of the presentation we would be talking about the

Reflected and Stored Cross site scripting.
Reflected XSS
Reflected XSS, also known as, Non–Persistence XSS or TYPE 1
XSS, is the case of attack that doesn't load with the vulnerable
web application but is originated by the victim loading the
offending URL. Now lets us see how the Reflected XSS takes
place.
Reflected XSS
 DEMO TIME 
Stored XSS
Stored XSS is also known as Persistence XSS or TYPE 2 XSS.
Stored XSS occurs when a web application gathers input from a
user which might be malicious, and then stores that input in a
data storage for later use. The input, that is stored, is not
correctly filtered. As a consequence, the malicious data will
appear to be the part of the web site and runs within the user’s
browser under the privileges of the web application.
Stored XSS
 DEMO TIME 
How to DETECT XSS
1. BLACK BOX TESTING
 Using web application scanner (Automated)
 Manually Testing
2. WHITE BOX TESTING
 Code analysis
How to PREVENT XSS
1. Encode output, based on, input parameters
2. Filter input parameters for special characters
3. Filter output, based on, input parameters for special
characters
4. White list the Input
Defense IN-DEAPTH (HttpOnly)
• Set the HTTPOnly flag on your session cookie and on any
custom cookie that you don’t want to be accessed by any
javascript.
• When you mark your cookie as HttpOnly, then it is not
accessible via javascript.
• In case after taking all the measures for XSS, if it still executes,
then HttpOnly flag minimizes the damage.
References
• OWASP:- https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
• WASC:-
http://projects.webappsec.org/w/page/13246920/Cross%20Site%20Script
ing
• Wikipedia:- http://en.wikipedia.org/wiki/Cross-site_scripting
• CERT Advisory:- http://www.cert.org/advisories/CA-2000-02.html

• You can also find this complete article on my blog

(http://securetechpoint.blogspot.in/) and also you can get this in
haking9 magazine http://hakin9.org/pentesting-with-android-exploiting-
software-0612/
BE SAFE AND BE SECURE
•

Vous aimerez peut-être aussi

Penetration Testing of Computer Networks Using BurpSuite and Various Penetration Testing Tools
D'Everand
Penetration Testing of Computer Networks Using BurpSuite and Various Penetration Testing Tools
Dr. Hidaia Mahmood Alassoulii
Pas encore d'évaluation
XSS in Theory: Cross-Site Scripting
Document12 pages
XSS in Theory: Cross-Site Scripting
Hesham Medhat
Pas encore d'évaluation
Kali Linux, Ethical Hacking And Pen Testing For Beginners
D'Everand
Kali Linux, Ethical Hacking And Pen Testing For Beginners
BHARAT NISHAD
Pas encore d'évaluation
Cross Site Scripting Cheat Sheet
Document3 pages
Cross Site Scripting Cheat Sheet
SharkLaser
Pas encore d'évaluation
Xss Attack Faq
Document10 pages
Xss Attack Faq
SpyDr ByTe
Pas encore d'évaluation
Evading All Web-Application Firewalls Xss Filters: September 2015
Document19 pages
Evading All Web-Application Firewalls Xss Filters: September 2015
Diego Caridei
Pas encore d'évaluation
Intrusion Detection Systems A Complete Guide - 2021 Edition
D'Everand
Intrusion Detection Systems A Complete Guide - 2021 Edition
Gerardus Blokdyk
Pas encore d'évaluation
Detained
D'Everand
Detained
Claire Ainslie
Pas encore d'évaluation
Malicious URL Detection: Introduction
D'Everand
Malicious URL Detection: Introduction
Dr. N. Jayakanthan
Pas encore d'évaluation
Cracking the Fortress: Bypassing Modern Authentication Mechanism
D'Everand
Cracking the Fortress: Bypassing Modern Authentication Mechanism
Josh Luberisse
Pas encore d'évaluation
Intrusion detection system Standard Requirements
D'Everand
Intrusion detection system Standard Requirements
Gerardus Blokdyk
Pas encore d'évaluation
Footprinting, Reconnaissance, Scanning and Enumeration Techniques of Computer Networks
D'Everand
Footprinting, Reconnaissance, Scanning and Enumeration Techniques of Computer Networks
Dr. Hidaia Mahmood Alassouli
Pas encore d'évaluation
Online Hacker Survival Guide
D'Everand
Online Hacker Survival Guide
Naven Johnson
Pas encore d'évaluation
Ethical Hacking and Computer Securities For Beginners
D'Everand
Ethical Hacking and Computer Securities For Beginners
Elaiya Iswera Lallan
Pas encore d'évaluation
CEHv8 Module 08 Sniffing
Document180 pages
CEHv8 Module 08 Sniffing
Miles Gelidus
Pas encore d'évaluation
Category Sub-Category Status: Pre-Scan Analysis
Document53 pages
Category Sub-Category Status: Pre-Scan Analysis
Vusra
Pas encore d'évaluation
Snort Magazine
Document29 pages
Snort Magazine
luizeri
Pas encore d'évaluation
2008 03
Document84 pages
2008 03
Danilo Caruso
Pas encore d'évaluation
Hakin9 OTP Art
Document8 pages
Hakin9 OTP Art
kiendt85
Pas encore d'évaluation
Advanced XSS
Document57 pages
Advanced XSS
Sajid Ali
Pas encore d'évaluation
Thical Hacking Tools
Document8 pages
Thical Hacking Tools
muna cliff
Pas encore d'évaluation
Lib P Cap Hakin 9 Luis Martin Garcia
Document9 pages
Lib P Cap Hakin 9 Luis Martin Garcia
f2zubac
Pas encore d'évaluation
ELearnSecurity ECPPT Notes Exam
Document157 pages
ELearnSecurity ECPPT Notes Exam
Angel Cabrales
Pas encore d'évaluation
Manipulating The Network With PacketFu
Document5 pages
Manipulating The Network With PacketFu
Keith Lee
Pas encore d'évaluation
02 2009
Document84 pages
02 2009
Jose Luis Diaz Ortega
Pas encore d'évaluation
Helix, Hacking
Document15 pages
Helix, Hacking
jegreen3
Pas encore d'évaluation
Brute Forcing Passwords With THC
Document25 pages
Brute Forcing Passwords With THC
real
Pas encore d'évaluation
BadStore Net v2 1 Manual PDF
Document23 pages
BadStore Net v2 1 Manual PDF
Guillermo Andrade
Pas encore d'évaluation
Security: XSS Complete Guide All About Cookies and Security
Document5 pages
Security: XSS Complete Guide All About Cookies and Security
Hay Rod
Pas encore d'évaluation
Introduction To Ethical Hacking Preview
Document43 pages
Introduction To Ethical Hacking Preview
Miguel Murrieta
Pas encore d'évaluation
TechHacker Bundle Syllabus
Document21 pages
TechHacker Bundle Syllabus
James Bond
100% (1)
TELECOMMUNICATIONS INDUSTRY THREATS - Kaspersky - Telecom - Threats - 2016 PDF
Document18 pages
TELECOMMUNICATIONS INDUSTRY THREATS - Kaspersky - Telecom - Threats - 2016 PDF
Harry Mole
Pas encore d'évaluation
PenTest XSS
Document53 pages
PenTest XSS
Ѓорѓи Поп-Ѓорѓиев
Pas encore d'évaluation
Web Application Security Vulnerabilities
Document5 pages
Web Application Security Vulnerabilities
Hailu Tsega
Pas encore d'évaluation
Hacking - 201201
Document51 pages
Hacking - 201201
Danilo Caruso
100% (1)
Preview Power of Burp Suite
Document33 pages
Preview Power of Burp Suite
binux egaHYFGKIRTJ
Pas encore d'évaluation
NMap Cheat Sheet 1688314900
Document18 pages
NMap Cheat Sheet 1688314900
Bikash kumar Show
Pas encore d'évaluation
One Time Password - New Dimensions in Security PDF
Document8 pages
One Time Password - New Dimensions in Security PDF
exu4g.com
Pas encore d'évaluation
Exploitmag 01 2012
Document36 pages
Exploitmag 01 2012
Tasha Duncan
Pas encore d'évaluation
Backend Database Hacking
Document77 pages
Backend Database Hacking
ibnuramadhan
Pas encore d'évaluation
Hakin9 EN 03 2014
Document74 pages
Hakin9 EN 03 2014
xtofset
Pas encore d'évaluation
Hacking Course Plan 1
Document3 pages
Hacking Course Plan 1
Pankaj Sharma
Pas encore d'évaluation
Iintroduction To Penetration Testing
Document56 pages
Iintroduction To Penetration Testing
kike
Pas encore d'évaluation
Ethical Hacking Script
Document3 pages
Ethical Hacking Script
uhafduhkjhas
100% (1)
Penetration Report
Document66 pages
Penetration Report
Miguel Murrieta
Pas encore d'évaluation
Cross-Site Scripting PDF
Document18 pages
Cross-Site Scripting PDF
mandalika
Pas encore d'évaluation
Advanced XSS
Document8 pages
Advanced XSS
William Caceres
Pas encore d'évaluation
MASPT at A Glance
Document14 pages
MASPT at A Glance
frogman1001
Pas encore d'évaluation
Module-3: Information Security Management
Document17 pages
Module-3: Information Security Management
Akshi Chauhan
Pas encore d'évaluation
Syllabus-Certified Pentester & Bug Hunter (CPTBH) - Premium
Document22 pages
Syllabus-Certified Pentester & Bug Hunter (CPTBH) - Premium
bug bounty
Pas encore d'évaluation
Whatsapp Bloker and Haking Tool Kit
Document2 359 pages
Whatsapp Bloker and Haking Tool Kit
Aaditya Khanna
Pas encore d'évaluation
Hakin9 02 2006
Document84 pages
Hakin9 02 2006
Serlab Cork
Pas encore d'évaluation
Paper-3 Bypassing Antivirus With Crypters
Document7 pages
Paper-3 Bypassing Antivirus With Crypters
Rachel Wheeler
Pas encore d'évaluation
Mass Pwnage Metasploit
Document27 pages
Mass Pwnage Metasploit
kapil_j
Pas encore d'évaluation
Owasp Christianmartorella Information Gathering Via OSINT
Document68 pages
Owasp Christianmartorella Information Gathering Via OSINT
Prohest McAwesomeness
Pas encore d'évaluation
Syllabus WAPTX
Document14 pages
Syllabus WAPTX
AkiNiHandiong
Pas encore d'évaluation
Sqlmap - Readme
Document93 pages
Sqlmap - Readme
xhachex
Pas encore d'évaluation
Bypassing Web Application Firewall Workshop Ebook
Document85 pages
Bypassing Web Application Firewall Workshop Ebook
Winning Whales
Pas encore d'évaluation
DEF CON Safe Mode - Sean Metcalf - Hacking The Hybrid Cloud
Document111 pages
DEF CON Safe Mode - Sean Metcalf - Hacking The Hybrid Cloud
asdf
Pas encore d'évaluation
NMCSP 2008 Batch-I: Web Application Vulnerabilities
Document56 pages
NMCSP 2008 Batch-I: Web Application Vulnerabilities
Jitendra Kumar Dash
Pas encore d'évaluation
Assignment 2
Document3 pages
Assignment 2
Yufa Yulia Fatma
Pas encore d'évaluation
8 New Students Are Ready To Join Your Classroom 6b Tysk.: For Schools
Document9 pages
8 New Students Are Ready To Join Your Classroom 6b Tysk.: For Schools
Sebastian Cohrt
Pas encore d'évaluation
CBP Study Guide
Document2 pages
CBP Study Guide
deepakbarhate
Pas encore d'évaluation
Nischita Paudel N4 Week-6
Document14 pages
Nischita Paudel N4 Week-6
Nissita Pdl
Pas encore d'évaluation
Linux Essential A 2 4
Document28 pages
Linux Essential A 2 4
Robin Li
Pas encore d'évaluation
Netflix
Document10 pages
Netflix
ambioris hernándezg
Pas encore d'évaluation
LabManual For Cryptography and Network Security
Document14 pages
LabManual For Cryptography and Network Security
Rajeshkannan Vasinathan
100% (2)
CCSIT Cyberlympics 2017 - Workshop 2 - Presentation
Document59 pages
CCSIT Cyberlympics 2017 - Workshop 2 - Presentation
abdullah
Pas encore d'évaluation
Quiz - Endpoint Monitoring - Attempt Review
Document2 pages
Quiz - Endpoint Monitoring - Attempt Review
yurilima.ti2
Pas encore d'évaluation
IS Krishna (4-10)
Document34 pages
IS Krishna (4-10)
krishnaviramgama57
Pas encore d'évaluation
VR 7.5.0 PDF
Document15 pages
VR 7.5.0 PDF
Fernando Prieto
Pas encore d'évaluation
Cryptography and Network Security
Document12 pages
Cryptography and Network Security
Wiedy Tira Pratama
Pas encore d'évaluation
NIST RMF Documentation v2.1 - 20190807
Document74 pages
NIST RMF Documentation v2.1 - 20190807
Nathan
Pas encore d'évaluation
Faisal Al-Shankiti - Chapter 8 - Safety and Security Students
Document5 pages
Faisal Al-Shankiti - Chapter 8 - Safety and Security Students
kuyjkgy
Pas encore d'évaluation
Crypto 1
Document47 pages
Crypto 1
ALNATRON GROUPS
Pas encore d'évaluation
Serena Sterling Serena Sterling Serena Sterling: CRR Secguards CRR Secguards CRR Secguards
Document2 pages
Serena Sterling Serena Sterling Serena Sterling: CRR Secguards CRR Secguards CRR Secguards
Edah Laela
Pas encore d'évaluation
Cyber Security
Document66 pages
Cyber Security
dave vegafria
Pas encore d'évaluation
Protect You Site With Honeypots
Document9 pages
Protect You Site With Honeypots
Pierre-Henry Soria
Pas encore d'évaluation
Hcia Security Mock PDF
Document5 pages
Hcia Security Mock PDF
Ict lab
0% (1)
Oracle Solaris 11.3 Security and Hardening Guidelines: Part No: E54807
Document84 pages
Oracle Solaris 11.3 Security and Hardening Guidelines: Part No: E54807
Momate
Pas encore d'évaluation
Network Security Architecture: by Mariusz Stawowski
Document5 pages
Network Security Architecture: by Mariusz Stawowski
DavidXimenes
Pas encore d'évaluation
Security Features in IPV6
Document17 pages
Security Features in IPV6
appleusr2000
Pas encore d'évaluation
What Is Trojan
Document23 pages
What Is Trojan
Nihal Raut
Pas encore d'évaluation
ISO27k Security Metrics Examples
Document10 pages
ISO27k Security Metrics Examples
vishnukesarwani
100% (3)
Lecture 02 - The Need For Security-2
Document48 pages
Lecture 02 - The Need For Security-2
Umair Amjad
Pas encore d'évaluation
Vault Internal LDAP Integration System Safe: Safe Contains The Configuration For An
Document11 pages
Vault Internal LDAP Integration System Safe: Safe Contains The Configuration For An
Root Me
Pas encore d'évaluation
Eco-479 Exam Practice (Dumps)
Document33 pages
Eco-479 Exam Practice (Dumps)
Sulaiman Gbadamosi
Pas encore d'évaluation
5.1 Secure Internal Communication SIC PDF
Document12 pages
5.1 Secure Internal Communication SIC PDF
Trupti Sansare
Pas encore d'évaluation
Merkow - PPT - 02 F
Document20 pages
Merkow - PPT - 02 F
JuanDelaCruz
Pas encore d'évaluation
Future Solutions Poster - Cybersecurity
Document1 page
Future Solutions Poster - Cybersecurity
api-534148470
Pas encore d'évaluation