Cross Site Scripting - II



Cross Site Scripting - II

Persistent XSS Attack

In case of persistent attack, the code injected by the attacker will be stored in a secondary storage device (mostly on a database). The damage caused by Persistent attack is more than the non- persistent attack. Here we will see how to hijack other user‘s session by performing XSS.

Session

HTTP protocol is a stateless protocol, which means, it won‘t maintain any state with regard to
the request and response. All request and response are independent of each other. But most of the web application don‘t need this. Once the user has authenticated himself, the web server should not ask the username/password for the next request from the user. To do this, they need to maintain some kind of states between the web-browser and web-server which is done through the
―Sessions‖.

Cross Site Scripting - I





Cross Site Scripting - I



What is Cross Site Scripting ?

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications, such as web browsers through breaches of browser security, that enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy

Types of Cross Site Scripting

XSS attacks are broadly classified into 3  types

•    Non-Persistent ( Reflection Attack )
•    Persistent ( Stored Attack )
•    Dom Based XSS

Non-Persistent XSS Attack


In case of Non-Persistent attack, it requires a user to visit the specially crafted link by the attacker. When the user visits the link, the crafted code will get executed by the user‘s browser. Let us understand this attack better with an example.

Example for Non-Persistent XSS



When the victim load the above URL into the browser, he will see an alert box which says
.Even though this example doesn‘t do any damage, other than the annoying attacked
pop-up, you can see how an attacker can use this method to do several damaging things.

Again using Local Host DVWA Performing Xss Reflection Attack




Enter Any Name and Submit Check the Response of the Website
 




Example I used My Name Noah Franklin  See the Response of the Website its say Hello Noah

Franklin






The alert () method displays an alert box with a specified message and an OK button use the script which used in the below .
 



SQL Injection - II



SQL Injection - II  

 

Install Vmware and DVWA Steps http://noahfranklin.blogspot.in/2015/06/how-to-setup-web-application-pentesting.html

Open dvwa and select SQL Injection TAB perform SQL Injection attack and collect the users information

Enter 1 and submit and see the response from the Database to the browser it shows ID 1 is belongs to Admin account