XSS STORED VULNERABILITY
Cross-site scripting (XSS) is a type of security vulnerability that allows an attacker to inject malicious code into a web page viewed by other users. There are two main types of XSS vulnerabilities: reflected and stored.
.jpg)
A stored XSS vulnerability occurs when an attacker is able to inject malicious code into a website, and that code is then stored on the server and served to all users who access that page. This can be particularly dangerous because the malicious code is persistent and can continue to harm users even after the initial attack.
The most common way to exploit a stored XSS vulnerability is through user input fields such as comments, forums, or chat boxes. An attacker can input malicious code, such as JavaScript, into one of these fields. When other users view the page, the malicious code is executed in their browsers, allowing the attacker to steal sensitive information, modify the page, or perform other malicious actions.
To prevent stored XSS vulnerabilities, developers should implement a number of security measures. One important step is to properly sanitize all user input, ensuring that any potentially dangerous characters are encoded or removed. Developers should also use Content Security Policy (CSP) headers to restrict which scripts can be executed on a page, and should ensure that cookies are properly secured to prevent attackers from stealing session information.
In addition, web application security scanners can be used to identify and mitigate stored XSS vulnerabilities. These scanners work by analyzing the code of a website and attempting to identify potential vulnerabilities. Developers can then use this information to patch any security holes and ensure that their site is secure against attacks.
Lets See how to find and check XSS Stored Vulnerability.
Step 1: Download the vulnerable web page from my GitHub.
https://github.com/Josh-INetSecurity-IN/xss-stored
Step 2: Run your Webserver
Here for this process, I have used XAMPP to start my Apache server and Mysql for Database.
Step 3: Once you run the vulnerable website, login to that website.
Step 4: Sending Input and observing the output.
Now, we can see a search text box, I am going to give an input and observe how the output is being produced.
I have given a text "test" in the text box.
The output is:
Step 5:Now I am going to use a <script> to get the cookie of this webpage and send it to an intruder's page.
Refer this video and follow the procedure.
For more info.
Github Page: https://github.com/Josh-INetSecurity-IN
XSS DOM Lab: https://github.com/Josh-INetSecurity-IN/xssdom/blob/main/
XSS Scripts : https://github.com/Josh-INetSecurity-IN/xssdom/blob/main/xss-payloads
E-Learning : https://www.inetsecurity.net.in
Lab : https://inetsecurity.net.in/taskboard.php
Instagram :https://www.instagram.com/joshuaprinceofficial/
Twitter :https://twitter.com/joshuaprinceoff/
Comments
Post a Comment