fbpx

REFLECTED CROSS-SITE SCRIPTING – THE EASIEST WAY TO DISCOVER VULNERABILITY

WELCOME TO THE WEEKEND ROUND-UP – WEB ATTACKS BUILD ON SHELLSHOCK BUG

23 Apr REFLECTED CROSS-SITE SCRIPTING – THE EASIEST WAY TO DISCOVER VULNERABILITY

Posted at 14:23h in Application Security, Security, Technology News by
0 Likes

Cross-Site Scripting (XSS) is a security weakness (Vulnerability) that takes advantage of dynamically generated Web pages. In an XSS attack, a malicious client-side script is embedded into a legitimate Web request. The script is activated when an unsuspecting Web browser later reads it. It manipulates those Web applications that have not protected themselves against XSS.

There are two main types of XSS:

  1. Stored Cross Site Scripting
  2. Reflected Cross Site Scripting

Stored Cross Site Scripting
Malicious script code is stored in the database. It gets executed when a user requests the page or data.

Reflected Cross Site Scripting
Malicious script gets executed if there is no validation at the server end.
Common targeted objects for reflected cross-site scripting are:

  1. Search text box’s
  2. Any Parameter in the URL string

Example 1 – Using Search Textbox

  1. Open a website with a search box
  2. Enter basic javascript code <script>alert(‘XSSed’)</script>

2014-04-19_11-03-081
3.  Click Search
2014-04-19_11-04-561_(2)
Example 2 – Using URL Parameter

  1. Open any webpage with parameters in URL string (in our case it is restring)
  2. Replace parameter value with basic script code
  3. Reload URL

2014-04-19_11-07-011_(1)
Countermeasures

To avoid an XSS attack, implement code into your Web application that block certain command tags and trigger script events in HTML, such as the greater than (>) and less than (<) symbols, the ampersand (&), double quotes (“”), and carriage returns.

 

Tags:
, , ,