401 Class 36: XSS with w3af, DVWA - nataliabdallah/codefellows-ops-reading-notes GitHub Wiki
Home | README.md | Portfolio | ← | →
Reading Cross-site scripting
Explain how a cross-site scripting attack works in non-technical terms.
Imagine you have a favorite bulletin board where everyone can pin notes for others to read. Now, suppose someone pins a note that looks normal but has a hidden trick: when someone reads it, it secretly steals their house key. Cross-site scripting (XSS) is like that trick note. It's when a hacker adds harmful stuff to a website, and when you visit that website, the harmful stuff can do bad things like steal your information without you knowing.
What are the three types of XSS attacks?
- Stored XSS: This is like someone leaving a trick note on the bulletin board that stays there. Anyone who reads the note gets tricked. In technical terms, the harmful script is stored on the website itself.
- Reflected XSS: This is like someone showing you a trick note directly, and you get tricked as soon as you read it. The harmful script is not stored but reflected back by the website in response to something you do, like clicking a link.
- DOM-based XSS: This is a bit like someone changing the words of a note already on the board in such a way that when you read it, you get tricked. The harmful script runs as a result of changes in the environment of the webpage caused by the user's actions.# If an attacker successfully exploits a XSS vulnerability, what malicious actions would they be able to perform?
What are some security controls that can be implemented to prevent XSS attacks?
- Sanitize inputs: Make sure anything added to their website (like comments or form submissions) is cleaned up, removing any harmful tricks.
- Use Content Security Policy (CSP): Set rules about what the website is allowed to do, which can stop harmful scripts from running even if they get in.
- Validate and encode data: Check that the information being sent to the website is what it's supposed to be and convert it into a safe format that can't be used for tricks.
- Use HTTP-only cookies: This makes important cookies invisible to scripts, so even if there's a trick note, it can't steal the house keys.