XSS

From charlesreid1

Revision as of 20:30, 13 April 2022 by Unknown user (talk)

Overview

Cheat Sheet

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet

Types of Cross Site Scripting

There are three main types of XSS attacks. These are:

  • Reflected XSS - the script comes from the current HTTP request
  • Stored XSS - the script comes from the website's database
  • DOM-based XSS - the script is injected client-side rather than server-side

Notes

Basic Reflected XSS Attack

An example of a reflected XSS attack would be a page that accepts input from a URL parameter, and dynamically inserts it in the page without any additional processing.

An example might be a "message" parameter in a URL that is used to display a greeting on a page. 

https://insecure-website.com/status?message=All+is+well.

This could be attacked like so: 

https://insecure-website.com/status?message=<script>/*+Bad+stuff+here...+*/</script>
Retrieved from "https://charlesreid1.com/w/index.php?title=XSS&oldid=29478"