Cross Site Scripting

XSS is a vulnerability when which present in websites or web applications, allows malicious users (Hackers) to insert their client side code (normally JavaScript) in those web pages. When this malicious code along with the original webpage gets displayed in the web client (browsers like chrome IE, Mozilla etc), and it is allows Hackers to gain greater access of that page.The goal of the CSS attack is to steal the client cookies, or any other sensitive information, which can identify the client with the web site. With the token of the legitimate user at hand, the attacker can proceed to act as the user in his/her interaction with the site – specifically, impersonate the user

Example :

in corsss site scrpting we can gether credit card number and private information using a CSS attack. This was achieved by running malicious Javascript code at the victim (client) browser with the access privileges of the web site These are the very limited Javascript privileges which generally do not let the script access anything but site related information. It should be stressed that although the vulnerability exists at the web site, at no time is the web site directly harmed. Yet this is enough for the script to collect the cookies and send them to the attacker. The result, the attacker gains the cookies and impersonates the victim.

What we can do sing cross site scripting

  1. stealing other user’s cookies
  2. stealing their private information
  3. performing actions on behalf of other users
  4. Showing ads in hidden IFRAMES and pop-ups
  5. Showing ads in hidden IFRAMES and pop-ups