- Based one Persistence capability, we can categorize the XSS attack into two types namely Persistent and Non-Persistent.
Persistent XSS:
The Persistent or Stored XSS attack occurs when the maliciouscode submitted by attacker is saved by the server in the database, and then permanently it will be run in the normal page.
For Example:
Many websites host a support forum where registered users can ask their doubts by posting message , which are stored in the database. Let us imagine , Anattacker post a message containing malicious javascript code instead. If the server fail to sanitize the input provided, it results in execution of injected script. The code will be executedwhenever a user try to read the post. If suppose the injected code is cookie stealing code, then it will steal cookie of users who read the post. Using the cookie, attacker can take control of your account.
Non-Persistent XSS:
Non-Persistent XSS, also referred as Reflected XSS , is the most common type of XSS found now a days. In this type of attack, the injected code will be send to the server via HTTPrequest. The server embedd the input with the html file and return the file(HTTPResponse) to browser. When the browser executes the HTML file, it also execute the embedded script. This kind of XSS vulnerability frequently occur in search fields.
Example:
Let us consider a project hosting website. To find our favorite project, we will just input the related-word in the search box . When searching is finished, it willdisplay a message like this"search results for yourword " . If the server fail to sanitize the input properly, it will results in execution of injected script.
In case of reflected XSS attacks, attacker will send the specially-crafted link to victims and trick them into click the link. When user click the link, the browser will send the injected code to server, the server reflects the attack back to the users' browser. The browser then executes the code .
In addition to these types, there is also third type of attack called DOM Based XSS attack, i will explain about this attack in later posts.
What can an attacker do with this Vulnerability?
*. Stealing the Identity and Confidential Data(credit card details).
*. Bypassing restriction in websites.
*. Session Hijacking(Stealing session)
*. Malware Attack
*. Website Defacement
*. Denial of Service attacks(Dos)
Bypassing The XSS Filter Technique: XSS Tutorial Part 2
Reference:
Latest XSS vulnerabilityAttacks
Mass Iframe Injection Tutorials
Disclaimer: This article is intended for educational purpose only.
Source:https://www.facebook.com/Hmei-7.blogspot.comHackingArticles?ref=ts&fref=ts
Posting Komentar