401d8 read36 - carlosjorr/reading-notes GitHub Wiki

XSS with w3af, DVWA

Explain how a cross-site scripting attack works in non-technical terms.

Imagine you're visiting a website, and it has a place where you can leave comments. Let's say you enter a harmless comment like "Hello, this is a nice website!" The website then shows your comment to other visitors who read it. This is a common feature on many websites to encourage interaction.

However, there's a problem. If the website doesn't properly check the comments people leave, someone could enter a malicious script instead of a regular comment. A script is like a set of instructions for the website to follow. So, when someone else visits the page with the malicious comment, their web browser gets tricked into thinking that the script is actually a legitimate part of the website.

Now, the malicious script can do things that it's not supposed to. It might steal personal information like passwords or credit card numbers from the visitor's computer, or it could make the visitor do something they didn't intend, like clicking on ads or downloading harmful files.

What are the three types of XSS attacks?

Stored XSS: The malicious script is stored on the website's server and is shown to multiple visitors when they load a particular page.

Reflected XSS: The malicious script is included in a link that the victim clicks on. The script is then reflected off a trusted website, making it seem like it's coming from a legitimate source.

DOM-based XSS: The malicious script manipulates the Document Object Model (DOM) of a web page. This happens on the client-side, without involving the server.

If an attacker successfully exploits a XSS vulnerability, what malicious actions would they be able to perform?

Steal sensitive information like usernames, passwords, and personal data. Impersonate the victim and perform actions on their behalf. Spread malware to visitors of the compromised website. Redirect users to fake or malicious websites. Modify the content of the webpage to display false or offensive information.

What are some security controls that can be implemented to prevent XSS attacks?

Input Validation: Checking and sanitizing user inputs to remove any harmful code before displaying them on the website. Output Encoding: Encoding the content properly so that the browser doesn't interpret it as code. Content Security Policy (CSP): Defining rules for what kind of content can be loaded and executed on a webpage. HTTP-only Cookies: Ensuring that sensitive information in cookies can't be accessed by JavaScript. Regular Security Updates: Keeping software and frameworks up-to-date to fix known vulnerabilities.