XSS flaw occurs whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user session, deface websites, or redirect the user to malicious sites.Types of XSS:
- Server Side Attack
- Stored XSS / Presistent XSS
- Reflected XSS / Non-Persistent XSS
- Client Side XSS
- Stored XSS / Persistent XSS
- Reflected XSS / Non-Persistent XSS
- DOM Based XSS
- Attacker can access any cookies.
- Attacker can hijack user session.
- Attacker can retrieve sensitive information retained by browser.
- Attacker can rewrite the content of HTML page.
- Attacker can redirect user to malicious site.
- Attacker can deface website.
Impacts on Security:
- Attack on Confidentiality
- Attack on Integrity
Exploitability : Average
Impact : Moderate
- Turn off HTTP TRACE support on all web server.
- Properly escape all untrusted data based on the HTML content (body, attribute, JavaScript, CSS, or URL) that the data will be placed into.
- Positive or “White-list” input validation is recommended.
No comments:
Post a Comment