A Scripting Language understood by the browser.
JS is embedded in HTML Pages
The Browser RUNS the js instead of displaying it
When the page loads, it is called an event. When the user clicks a button, that clicks to is an event. Other examples include events like pressing any key, closing a window, resizing a window, etc.
<body onload=alert(‘Welcome to Hacking Articles’)>
So whenever the body tag loads, an alert will pop up with the following text Welcome to Hacking Articles for the visitors. Here the loading of the body tag is an event or a happening and onload is an event handler which decides what will action will happen on that event.
Onmouseover, when the user moves his cursor over the text, the additional code will be executed. For example, let understand the following code:
<a onmouseover=alert(“50% discount”)>surprise</a>
Now when the user moves his cursor over the surprise the displayed text on the page, an alert box will pop up with 50% discount.
Cross Site Scripting (XSS)
XSS is listed as top third web application security risk in the OWASP to top 10 risk model 2017.
Let’s take an example that following code is XSS vulnerable, an attacker may possibly present a history that holds a malicious payload such as <script>alert(HACK);</script>
Print “<h1>Recent History</h1>”
Print request.Recent History print “</html>“
Users visiting the web page will get the following HTML page without his knowledge.
<h1> Recent History </h1>
Types of XSS:
There are actually three types of Cross-Site Scripting, commonly named as:
- Persistent XSS
- Non-persistent XSS
- DOM-Based XSS
Persistent XSS is considered more dangerous because the malicious payload is stored inside the web server as the more visitors will interact with the website will result in more XSS infected user. The attack does not require the phishing technique to target its users.
An example of a web application vulnerable to stored XSS as shown in the screenshot.
Read complete article from here
The non-persistent XSS is also known as reflected XSS occurs when the web application responds immediately on user’s input without validating the inputs this lead an attacker to inject browser executable code inside the single HTML response. It’s named as “non-persistent” since the malicious script does not get stored inside the web server, therefore attacker will send the malicious link through phishing to trap the user.
The most common applying of this kind of vulnerability is in Search engines in the website: the attacker writes some arbitrary HTML code in the search textbox and, if the website is vulnerable, the result page will return the result of these HTML entities.
An example of a web application vulnerable to reflected XSS as shown in the screenshot.
It is also known as type 1 because this attack is carried out through a single request/response then gets executed on the victim’s browser, and will prompt an alert “hellllooo” to his browser.
Read complete article from here
The Document Object Model (DOM) is an API that increases the skill of programmers or developers to produce and change HTML and XML documents as programming objects.
When an HTML document is loaded into a web browser, it becomes a document object.
The document object is the root node of the HTML document and the “owner” of all other nodes
The HTML DOM model is constructed as a tree of Objects
The DOM-Based Cross-Site Scripting is vulnerability which appears in a document object model instead of the html page. An attacker is not allowed to execute malicious script on the user’s website although on his local machine in URL, it is quite different from reflected and XSS because in this attack developer cannot able to find malicious script in HTML source code as well as in HTML response, it can be observed at execution time.
The DOM-Based XSS exploits these problems on the user’s local machines in this way:
– The attacker creates a well-built malicious website
– The ingenious user opens that sites
– The user has a vulnerable page on his machine
– The attacker’s website sends commands to the vulnerable HTML page
– The vulnerable local page executes that commands with the user’s privileges on that machine.
– The attacker easily gains control of the victim computer.
The following screenshot is an example of a web application server that is affected with DOM-based XSS attack. The web application let you choose the following language and will execute through URL.
The attacker will add malicious script inside URL
http://localhost:81/dvwa/vulnerabilities/xss_d/?default=English#<script>alert("you have been hacked");</script>
The major difference between DOM XSS and Reflected or Stored XSS flaw is that it cannot be stopped by server-side filters because anything written after the “#” (hash) will never forward to the server.
Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here