« Back to Blogs

Trace Cross-Site Scripting(XSS) Attacks

Introduction:

Before going to start the website security importance, security technologies, and its tools, we will explain about the security attacks and hacking the private data. 

A Web Security threat is a possibility of danger that might harm the vulnerability of a computer system and breach the security to cause the damage. The most common web application attack vector is Cross-Site Scripting (XSS). 


 

Cross-site Scripting(XSS) Attack.

The XSS(Cross-site Scripting) attack means, the Hijackers sending and injecting malicious code or script. Malicious code is usually written with client-side programming languages such as Javascript, HTML, VBScript, Flash, etc. However, Javascript & HTML are used to perform this attack. A successful XSS attack can have injurious consequences for an online business’s reputation and its relationship with its clients. 


 

For eg; after a victorious login to an application, the server will send you a session cookie by the Set-Cookie header. Now, if you want to access any page in the application or submit a form, the cookie (which is now stored in the browser) will also be included in all the requests sent to the server. This way, the server will know who you are.

Thus, session cookies are sensitive information which, if compromised, may allow an attacker to impersonate the legitimate user and gain access to his existing web session. This attack is called session hijacking.

Cross-Site Scripting can also be used to inject a form into the vulnerable page and use that form to collect user credentials, this attack is called phishing.

Our Approaches and Techniques to Locate XSS Attacks on the Web.

Web Security Application Tools(Burp Suite community edition): 

Burp Suite is an integrated platform for performing security testing of web applications, we can find our application is affected for XSS attack issue or not. It is developed by a company named Portswigger. Source: http://portswigger.net/burp/

 

  • Open the BURP SUITE community edition and click on the Next button.

 





 

  • Select the “Use Burp defaults” field and click on the Start Burp button.

 

  • The burp suite dashboard is displayed.



 

  • Set  8080 port and localhost IP into the proxy listener

    

 

  • Setting Burp suite proxy configuration into the firefox browser.


 

  • Back to burp suite and ensure that: Proxy -> Intercept -> Intercept is Off.

 

  • Go to CONTACT US form for the website into the firefox browser and Enter valid values into all the mandatory fields.

 


 

  • Back to the Burp suite tool and Enabled intercept functionality.

 

  • Now click on the Submit Now button and verify the user is redirected to the Burp Suite tool.


 

  • After submitting the Enquiry form of the website, The recorded script is displayed into the Burp suite tool.

 

  • Now edit and replace the actual value of the field with javascript payloads and then intercept off.

 

  • Intercept is OFF and javascript code is successfully sent into the backend of the website.

 

  • Open backend of the website and found website is vulnerable & it’s affected for XSS attacks.



 

Conclusion

 

Cross-Site Scripting is one of the most common application-level attacks that hijackers use to wretch into web applications today, and one of the most dangerous. It is an attack on the privacy of clients of a particular web site which can lead to a total breach of security when customer details are stolen or manipulated. Unfortunately, this is often done to lack the knowledge of either the client or the organization being attacked. In order to prevent this harmful vulnerability, it is critical that an organization implement both an online and offline security strategy. This includes using an automated application vulnerability assessment tool, like a Burp suite from portswigger, which can test for all the common web vulnerabilities and application-specific vulnerabilities (like cross-site scripting) on a site.

Comments
No comments yet. Be the first.
contact-us Request a callback