In this post I am going to teach you the basics of XSS for beginner (As I am too).
What Is XSS?
Ans : Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007.[1] Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner.
How to find XSS on websites?
Ans : We can find Cross-site scripting by using some payloads in the input, like search box, comment box, feedback box, etc.
If you find input then we can inject over payload in the input field.
The question is that what is Payload or vector?
Payload or vector is a JavaScript code which we can insert in input field to find XSS scriptin.
Finding XSS Vulnerable websites?
First of all you have to find the input filed like search bar, Login page, subscribe by email and Contact us page. If you find input then we can inject over payload in the input field.
The question is that what is Payload or vector?
Payload or vector is a JavaScript code which we can insert in input field to find XSS scriptin.
So here I have taken a one example of vulnerable website
I have searched my news on website and I am searching a news for nomanramzan but as you seen in below picture no news found on nomanramzan and after that you just right click on the anywhere of website and click on View page source
Then press CTRL + F for search nomanramzan and Note the location where the input is placed. as you seen in below picture website taken an input and search value for nomanramzan . so now the important step is that we have put out nomanramzan from “ ”
Now I am going to check whether the server sanitize the input or not . If I am giving the input this <> in input field . Sometime server sanitized the code and then code look like this <>.
So now in this condition website server not sanitize our input and this indicate that the website is vulnerable to XSS Now finally I have put a Payload
"><img src=x onerror=prompt(1);>
In the search bar then you have seen below picture. Now it will display pop-up box. So finally we have successfully find a cross site scripting XSS
Then again right click on website and then press CTRL + F for search for the payload "><img src=x onerror=prompt(1);> or value and finally you have checked that over payload put out from “” .
No comments:
Post a Comment