XSS(Cross Site Scripting)

Cross Site Scripting

This is one of the most found vulnerabilities on every website even in Google and Facebook also. An attacker can steal your browser cookies using these attack or he can redirect you to another malicious website where you will be asked to fill details that the website looks the same as the website you visited. This vulnerability ranked no.1 in every year as per Owasp, hacker one, etc.                       

                                An XSS attack is achieved through stored and Reflected, Dom XSS. If a person
Enters some data in the search bar or in parameter containing url.if the data gets reflected in website source code then we can conclude that the website is affected with an XSS vulnerability.                            

 If an attacker executes JavaScript code in the search bar or get parameter then if the data gets reflected back to the user then we say reflected XSS.instead the js code is stored in the database and the code gets executed every time when attacker reloaded the webpage these is called Stored XSS.

                 Generally, stored XSS is very Dangerous compared to reflected xss.because the code gets stored in the database. Xss is commonly found on all websites. if your good at penetration testing you can make 100-1000$ for each program which is Implemented in hacker one or bug crowd websites

                  There are many people who make lots of money who are in this field. There are many vulnerabilities like XSS but it is most dangerous compared to other vulnerabilities and commonly it is found in every website

we use Burpsuite to Intercept and modify the traffic we can find XSS vulnerability with the help of a burp suite tool. mainly XSS vulnerability occurs:

Data enters a Web application through an untrusted source, most frequently a web request, the data is included in dynamic content that is sent to a web user without being validated for malicious content

commonly used payloads is <script>alert(1)</script>,not everytime these payloads works because on serverside characters may get filtered.so we must try on different payloads like

<body onload=alert("test1")>

<b onmouseover=alert("hello").click</b.

<img src="URL" onerror=alert(document.cookie);> 

These are many payloads but these are mainly used payloads. I suggest you buy a course at Hackers era which is a very good course mainly these courses focus on XSS Vulnerability. And I suggest you visit the following link for XSS vulnerability, Everything explained in detailed.


if you want to practice at XSS you can visit the following websites:




4. https://portswigger.net/web-security/cross-site-scripting/exploiting/lab-perform-csrf





Post a comment