Cross-site Scripting (XSS) is a client-side code injection attack. The attacker aims to execute malicious scripts in a web browser of the victim by including malicious code in a legitimate web page or web application. When a user visit the infected or a specially-crafted link , it will execute the malicious javascript.
Famous attacks:
- Samy worm (2005)
- Yahoo attack (2013)
- TwitterDeck attack (2014)
What can we do with XSS:
- Hijack the user’s session
- Perform unauthorized activities
- Perform phishing to steal user credentials
- Capture the keystrokes by injecting a keylogger
- Steal sensitive information
Types of XSS:
- Reflected
- Stored
- DOM-based
Reflected XSS is performed by attaching the malicious script to the end of a URL/link.
How to trick people?
- Trick them to click the link through an email
- publish the link to a website or social media
- using URL shortening makes this much easier (Bitly, TinyURL)
Stored - the injected script is permanently stored on the target servers
DOM-based XSS can be exploited without the client requesting the server. The attack takes place in the DOM which is local (in the user context).
If you want to practice XSS on website https://xss-game.appspot.com/ you can find very interesting challenges.