Skip to main content

Cross-Site Scripting (XSS) Vulnerability

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into trusted web sites. 

Cross-site Scripting (XSS) is generally believed to be one of the most common application layer hacking techniques.

XSS is the hacking technique that leverages vulnerabilities in the code of a web application to allow an attacker to send malicious content from an end-user and collect some type of data from the victim.

An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.

There are three types of XSS Attacks :
  • Stored/Persistent XSS

Stored XSS generally occurs when user input is stored on the target server, such as in a database, in a message forum, visitor log, comment field, etc. And then a victim is able to retrieve the stored data from the web application without that data being made safe to render in the browser.
  • Reflected/Non-Persistent XSS

Reflected XSS occurs when user input is immediately returned by a web application in an error message, search result, or any other response that includes some or all of the input provided by the user as part of the request, without that data being made safe to render in the browser, and without permanently storing the user provided data.
  • DOM Based XSS


It is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.

Few of the popular websites vulnerable to XSS which I found out while browsing into these websites. I reported the issues to the respective websites support and security team. They have fixed the issue after that.

1. www.thefind.com

    Vulnerable Parameter: query

XSS vulnerability
XSS in www.thefind.com
2. www.timesdeal.com

    Vulnerable Parameter: searchname

XSS Vulnerability
XSS in www.timesdeal.com
3. www.tradus.com

XSS Vulnerability
XSS in www.tradus.com
4. www.redbus.in

   Vulnerable URL parameters: "fromCityName" and "toCityName".

XSS Vulnerability
XSS in www.redbus.in

How to Determine If You Are Vulnerable


XSS flaws can be difficult to identify and remove from a web application. The best way to find flaws is to perform a security review of the code and search for all places where input from an HTTP request could possibly make its way into the HTML output.

How to Protect Yourself

  • Contextual output encoding/escaping of string input
  • Safely validating untrusted HTML input

Comments

Popular posts from this blog

Hello World

I had heard about blogs few years back. Since then I wanted to write my blog. But, for some reasons like, what to write, how to write etc, always stopped me.

Finalizing an address for the blog is most depressing thing. Address of your choice will be unavailable and to think of a name, which would be available will take a lot of time.
"Sorry, this blog address is not available" will vanish your enthusiasm/excitement for blogging, unless you come up with a really unique and out-of-box kind of word/words. BTW, my blog name is not so out-of-box, but it's in Hindi (my mother-toung).
This blog-name thing is one of the significant reason, I am coming up with my blog a bit late. Logged in to blogger so many times earlier, but I was not getting a name which I like.

But, this time I was determined to start my blog and So friends, this is the start of  "meri-jigyasa.blogspot.com".
Edit: Now, I have a custom domain "www.merijigyasa.com" for my blog.

Thanks

Sakleshpur - The Green Route Railway Trek, Waterfalls, Jungle Adventures and Much More

The breathtaking images of picturesque railway route from Sakleshpur to Kukke Subramanya captivated us to go for this trek. We had been planning to do "The Green Route trek" - that's what it is called, from last few months and then finally the day has come and we started for our journey to Sakleshpur - also referred as "Poor Man's Ooty".

We read some news about the ban on trekking in western ghats. But we were not sure if it is really banned. Before the conversion of the railway line from meter gauge to broad gauge along the Sakleshpur railway line in Karnataka’s Hassan district, it was one of the most sought-after trek routes.

We started our journey from Bangalore on Friday evening, had dinner enroute in a dhaba near Hassan and reached Sakleshpur at around the Midnight, Checked into Hotel. Next morning, We talked to some local people and We came to know "The Green Route" Trek is banned for sure. But, still we went to the donigal Railway station, 8 …

Mangalyaan is launched successfully - What Next ?

At 2:38 PM, 5 November - Two days post Diwali, ISRO successfully lauched a rocket "Majestic PSLV C25" towards planet Mars as if they were celebrating Diwali, after spending numerous sleepless nights in their endeavour to make the launch successful, at Satish Dhawan Space Centre, Sriharikota.

India is the first Asian country and the fourth in the world to undertake a mission to the red planet. That's the reason, "A Billion Hopes" were riding with the Mangalyaan launch. ISRO made us feel proud and we can held our head high for the success.

About 45 minutes after the launch, Mars Orbitor Mission (MOM) Satelite, Mangalyaan, separated from its launch rocket and launch rocket has placed the Orbiter very precisely in an elliptical orbit around Earth, which makes the First Stage successful.

Now, Mangalyaan, is expected to go around the Earth for about a month, to attain the escape velocity. So that it can break free from Earth's gravitational pull. Only then Mangalyaa…