i Cross-Site Scripting(XSS) attack – All things in moderation

Cross-Site Scripting(XSS) attack

what is Cross-Site Scripting (XSS)?

XSS is a client-site code injection attack. These attacks can be  using HTML, JavaScript, VBScript, ActiveX, and other client-side languages. These attacks have the ability to gather, steal data from victim’s browser: account, cookies or other sensitive information.

Types of XSS

Stored XSS

Stored XSS occurs when user input is stored on the database server: such as in message field, comment field…(the entire vulnerability is in server-site code) And then victim is able to retrieve the stored data from the web app. Script code execute on victim’s browser.
Read more: https://www.owasp.org/index.php/Testing_for_Stored_Cross_site_scripting_(OTG-INPVAL-002)


This example using OWASP Mutillidae.
Download from: https://sourceforge.net/projects/owaspbwa/
Then open with VMware virtual machine

For example: Attackers insert script code when submit to blog


When user using this blog and load database records contains the script code, the malicious code will be execute on browser.


Reflected XSS

Reflected XSS occurs when data provided by a web client is used immediately by server-site scripts scripts to generate a page of results for that user. if unvalidated user-supplied data is included in the resulting page without HTML encoding, this will allow client-site code to be injected into the dynamic page.
Read more: https://www.owasp.org/index.php/Testing_for_Reflected_Cross_site_scripting_(OTG-INPVAL-001)

Insert folowing script code into cookies content using firefox add-on Cookies Manager+: alert(document.cookie) -> no result
Try using that script with URL encode:




Other type of XSS (DOM Based XSS)

Defined by Amit Klein 2005. DOM Based XSS is a form of XSS where the entire tainted data folow form source to sink place in the browser, the source of the data is DOM(Document Object Model). DOM Based XSS is siply a subset of client XSS.

Read more: https://www.owasp.org/index.php/Testing_for_DOM-based_Cross_site_scripting_(OTG-CLIENT-001)

Insert folowing code: “>alert(document.cookie)
The Web app reveals try{}catch(){} code check username

→ insert try{}catch(){}

try{username=”a”;}catch(e){} alert(document.cookie); try{a=””;}catch(e){alert(“error:”e.message”);};




Leave a Reply