Q1. What is Cross Site Scripting (XSS)?
Ans: By using Cross Site Scripting (XSS) technique, users executed malicious scripts (also called payloads) unintentionally by clicking on untrusted links and hence, these scripts pass cookies information to attackers.
Q2. What information can an attacker steal using XSS?
Ans: By using XSS, the session id of the genuine user can be stolen by the attacker. The session id is used by the browser to identify your credentials in an application and helps you keep login till sign off from an application. An attacker can write a code to extract information from cookies which contain session id and other information. Later, same session id can be used by an attacker to browse the application on behalf of the user without actually logged in the application.
Q3. Apart from mailing links of error pages, are there other methods of exploiting XSS?
Ans: Other methods where attackers store malicious scripts (also called payloads) are discussion forums, the comment section of websites and other similar platforms. Whenever the user navigates those pages, payloads got executed and user’s cookies information automatically sends to an attacker.
Q4. What are the types of XSS?
Ans: Cross-site Scripting can be divided into three types:
- Stored XSS
- Reflected XSS
- DOM-based XSS
Q5. What is Stored XSS?
Ans: In Stored XSS, attacker plants a malicious script (also called payload) on a web page. Comment page, forums, and other similar platforms can be used to store payloads. When the user browses these pages, these payloads executed and sends cookies information to an attacker.
Q6. What is Reflected XSS?
Ans: Reflected XSS is one of the most widespread attack technique used by attackers. In this type of attack, the user sends a malicious request by clicking on malicious links (contains an XSS payload) to web server available on social networking sites and other platforms. As a result, web server replied back to the user with HTTP response which contains the payload which in turns executed in the browser and steal cookies of the user.
Q7. What is DOM-based XSS?
Ans: DOM-based XSS is a type of cross-site scripting which appears in DOM(Document Object Model), instead of HTML.
Q8. How can I prevent XSS?
Ans: XSS can be prevented by sanitizing user input to the application. Always allowed those elements as input which is absolutely essential for that field.
Q9. Can XSS be prevented without modifying the source code?
Ans: “http only” attribute can also be used to prevent XSS.
Q10. What is Cross Site Tracing (XST)? How can it be prevented?
Ans: By using XST technique, attackers are able to steal cookies by bypassing “http only” attribute.
XST technique can be prevented by disabling TRACE method on the web server.
Subscribe us to receive more such articles updates in your email.
If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!
Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.