Decoding XSS, the most common hack.
Article 2
Welcome to the second article in the hacking course by TeensThatHack, today we will decode XSSand understand its practical use cases.
So, what is XSS?
XSS (Cross-Site Scripting) is an attack wherein an application allows the input of data without proper sanitization.
To give a bit more context and understanding to the definition above, we will have to dive into some basics.
A web application on the front-end is mainly made up of two programming languages -
1- HTML
2 - Javascript
If you can enter any of these codes into a website then it is an XSS attack.
How can this impact the end-user in real life?
The HTML or javascript code could be programmed to lead to a monetary loss, cookie stealing, etc. In general, you won’t be asked to write such a code, all you will need is to prove that such code can be injected.
And to prove this you will have to inject a ‘payload’, the most basic one is -
<script>alert(1)</script>
If the code is executed then the XSS exists.
How do companies prevent XSS?
Companies prevent it by doing something called ‘Input sanitization’, meaning they blacklist some particular words or symbols like ‘script’.
Bypasses to this exist too, you can find a vast list to that on this link -
Finally, what are the different types of XSS?
- Self-XSS: the hacker has to manipulate the victim into entering the particular code themselves on the website. Due to this a lot of bug bounty programs don’t accept it.
- Reflective-XSS: the payload is present in the website’s link, the victim only has to click on it for XSS to be executed. Reflective XSS is accepted by most companies.
- Stored-XSS: widely regarded as the most harmful category of XSS, where the injected code becomes a part of the website code for a somewhat permanent basis. Stored XSS is the hardest to find and generally pays the most.
In conclusion, XSS is a pretty vast topic and a good starting point for new enthusiasts, start by exploring more about it and the practical use cases.
Stay Safe and #HackThePlanet
