Web Security Lab Part 4: Cross Site Scripting XSS - Hsanokklis/2022-2023-Tech-journal GitHub Wiki
Into: Cross-site scripting attacks (XSS) can lead to malicious attacks where the user is redirected to a malicious site, download exploits in the background with malicious iframes, annoy users with endless pop-up messages, etc. These attacks are difficult to detect so programs like NoScript have been designed to disable scripting on websites.However, many sites require scripting for a good ‘user-experience’ so these tools can annoy some people so they just disable it. XSS attacks should be taken seriously because they can pose high-risk vulnerabilities to an organization or users visiting the organization’s site. Even more problematic is that a large site like CNN may not be compromised, but one of their ad providers could be compromised and that has the appearance of CNN carrying a malicious payload, when it is a third-party.
Objective: : Demonstrate how XSS works by testing to determine if an application is vulnerable and then performing the attack.
- Go to XSS(reflected)
- Test for basic XSS vulnerability by entering the string:hi
- Try a pop-up message by entering: <script>alert('attack');</script>
you may have to enable popups in advanced settings of the site
The lab documentation was wrong and had double quotes inside of the attack code, it should be single quotes
