There are basically three different categories of XSS attacks. They are:
- Stored XSS(Persistent XSS): This is whereby the malicious code originates from the websites database. Am sure you are definitely asking your self how the code came from the website’s database rather from the attacker’s computer. Well, it’s simple. The attacker may inject the malicious cose in a websites input field such as in the comment field hence the script is saved to the website’s database.
- Reflected XSS: In this type of XSS attack, the malicious code originates from the victim’s request to the website. The website then includes this malicious string in the response sent back to the user. The attacker can send the URL containing the malicious URL to the victim (using email or instant messaging such as whatsapp) and tricks the victim into visiting the website. This is successful with the use of a URL shortener service which disguises the malicious string fron users who might otherwise identify it.
- DOM based XSS: This is the last type of XSS attack. Here the vulnerability is in the client side code rather than the in the server side code. The attacker crafts a URL containing the malicious string and sends it bo the victim tricking the victim to request the URL from the website which receives the request but does not include the malicious string in tye response. The victim’s browser executes the malicious script to be inserted into the page. The victim’s browser executes the malicious script inserted into the page sending the victim’s cookies to the attackers server.
That is all for today my esteemed reader. Next time I will be talking about what this malicious code snippets can do to compromise your browser’s security.
See you till then.
Don’t forget to follow me so as to never miss out on anything.
Disclaimer: The content on this blog should he used purely for education purposes or by security researches and system admins to fix XSS vulnerabilities on their systems. I shall not be held liable for the wrong use of these techniques.