Cross-Site Scripting (XSS) Flashcards
What is cross-site scripting (XXS)?
Cross-Site Scripting is a web security vulnerability that allows attackers to inject malicious scripts into a legitimate website or web application, these malicious scripts are then executed in the browsers of other users who visit the affected site.
What kind of scripts are used in XXS?
JavaScript and other scripts.
What is Stored XXS or Persistent XXS?
The malicious script is permanently stored on the target server.
Where might you find Stored XXS or Persistent XXS?
Database, comments section, or user profiles.
What is Reflected XXS?
Malicious script is embedded in a URL or input parameter and reflected back to the user in the server’s response.
Who is affected by Stored XXS or Persistent XXS?
Affects all users who visit the affected page.
Where might you find Reflected XXS?
The malicious script is embedded in a URL or input parameter.
Who is affected by Reflected XXS?
Users who interact with the crafted link.
What is DOM-Based XSS?
The vulnerability is in the client-side JavaScript code, where the malicious payload is processed directly in the browser without involving the server.
How does DOM-Based XXS work?
A website dynamically updates content based on URL parameters or user input.
What is the impact of DOM-Based XXS?
Can bypass server-side protections since the attack happens entirely in the browser.
What are some XXS targets?
Search boxes, forms, URL parameters, and content management systems.
What are the impacts of XXS?
Data theft, session hijacking, website defacement, malware distribution, and privilege escalation.
What is the XXS manual testing script?
<script>
alert('XSS')
</script>How do you prevent XXS?
Sanitize user input (OWASP ESAPI), encode output (HTML encode, JavaScript escape), content security policy (CSP), avoid inline JavaScript, use secure libraries (React, Angular), validate inputs.
