Cross site scripting (XSS) is a web security vulnerability that allows attacker to compromise victims in XSS attacker can send java script malicious code, to the victim after sending victim, he will be manipulate, can steal the cookies, account take over, session hijacking
Refelected XSS
Store XSS
Blind XSS
Dom XSS
We need to learn how to create an XSS payload for this I am dropping you a link to a lab where you learn and practice for free and easy to use https://prompt.ml/0
What is reflected XSS
It is a client-side attack where the attacker injects a malicious script into the web application which reflects the payload here an attacker can take whole control of the script
that is executed in the victim’s browser the cross-site scripting payload can be injected into the URL and search bar like this anywhere where inputs are available
Impacts of reflected XSS:
– Hackers can steal user’s necessary credentials
– Hacker can also perform account takeover
– Hackers could also steal cookies and sessions hijacking
– Hackers can extract user’s sensitive data
The most common payload are
- <script>alert(1)</script> - <img src=x onerror=prompt(1)> - <svg/onload=alert(1)>
What is stored XSS
This is something where the attacker sends a malicious link victim which reflects in the server here we can understand that in stored XSS, the payload is stored such in the field of the chat box, name, address,
Difference between reflected XSS and stored XSS is simple here in reflected XSS here attacker is attacking the client side, in stored here attacker is attacking to server-side
Stored XSS VS Reflected XSS
Reflected XSS -> STORE== reflect back
Stored XSS -> DATABASE -> Reflect Back
The most common payload are
<h1> Hacked By Me <>alert(document.cookie</></h1> <script>alert(document.domain)</script> <script>alert(document.cookie)</script> <img src=x onerror=prompt(document.cookie)> <h1> Hacked By Me <>alert(document.cookie</></h1>
Impacts:
Hackers can deface the website
Hackers can steal the user’s credentials
Hackers also can perform hijacking users session’s
Hackers can takedowns user accounts and also take access to victim’s computer
Blind XSS
Blind XSS is a vulnerability that is some sort of similar to stored but here the catch is the attacker makes a payload which is connected with his own server he made up payload with his server for example:
-Attacker target a website
-Now he is injecting a malicious script to steal user information
-He needs to wait for victims to visit the website and for malicious script to be activated
-Now victims’ information is sent to the attacker for a while to days and he finally got access
Impacts :
Hackers can perform hijacking user’s currents sessions
Hackers can perform phishing attacks
Hackers can perform a man in the middle attacks
Download XSS Payloads from here: Download Here