Posts

Showing posts with the label XSS

Hands On training | Google XSS Game

Image
Hello everyone, In a previous post, I talked about XSS aka Cross Site Scripting. Hope you all got a basic knowledge now. In this post, I am giving you more information on XSS with a hands on training on the Google XSS Game. You can find a video on how to solve this at the bottom of the page. At first, Google XSS Game is a training platform provided by google to practice XSS. It consist of 6 levels and in each level, you have to execute a JavaScript alert in order to advance to next level. In each level, you'll be provided with different problems and you've to execute the alert using different techniques in each level. This will help you to understand various methods than can be used to execute XSS in a web page. There are hundreds of such websites available which allow you to practice various types of vulnerabilities. So let's get started. Navigate to  https://xss-game.appspot.com . This is where the Google XSS Game is available. You'll see a page lik...

Introduction to XSS - Methods, Impact and Prevention

Image
When searching for hacking tutorials or reading through write ups, definitely you will come across the term XSS. In this post, I am going to explain what is XSS, what are it's impacts and how to achieve it with few examples. XSS aka Cross Site Scripting is a vulnerability which allow the attacker to inject and execute JavaScript code on the target website. This allow attacker to log the victim details, make a phishing page, bypass csrf, get cookies and many more. XSS is of 2 types. Stored and Reflected. Stored XSS is the type of XSS when the user entered data is stored in the server and the displayed in any other page. For example parameters like name, place, about etc can be vulnerable to stored XSS. That said, fields like password are stored once and never retrieved or showed in future, hence it is not vulnerable to stored XSS. When this can be exploited? The developer isn't validating user inputs. The developer added certain validations but they are client side ...