XSS stands for Cross Site Scripting.
- XSS is very similar to SQL-Injection. In SQL-Injection we exploited the vulnerability by injecting SQL Queries as user inputs.
- In XSS, we inject code (basically client side scripting) to the remote server.
- Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites.
- XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.
- Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.
- An attacker can use XSS to send a malicious script to an unsuspecting user.
- The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site.
- These scripts can even rewrite the content of the HTML page.
Types of Cross Site Scripting
XSS attacks are broadly classified into following types:
There are many ways in which an attacker can entice a victim into initiating a reflective XSS request.
- Consider a web application that allows users to enter a username that is displayed on each user’s profile page.
When other users view the attacker’s profile page, the malicious code automatically executes in the context of their session.
Impact of Cross-Site Scripting
XSS vulnerabilities may occur if:
- Input coming into web applications is not validated
- Output to the browser is not HTML encoded
- SQL injection (SQLi) refers to an injection attack wherein an attacker can execute malicious SQL statements (also commonly referred to as a malicious payload) that control a web application’s database server (also commonly referred to as a Relational Database Management System – RDBMS).
- Since an SQL injection vulnerability could possibly affect any website or web application that makes use of an SQL-based database, the vulnerability is one of the oldest, most prevalent and most dangerous of web application vulnerabilities.
- By leveraging SQL injection vulnerability, given the right circumstances, an attacker can use it to bypass a web application’s authentication and authorization mechanisms and retrieve the contents of an entire database.
- SQL injection can also be used to add, modify and delete records in a database, affecting data integrity.
- To such an extent, SQL injection can provide an attacker with unauthorized access to sensitive data including, customer data, personally identifiable information (PII), trade secrets, intellectual property and other sensitive information.
How does SQL Injection works?
- In order to run malicious SQL queries against a database server, an attacker must first find an input within the web application that is included inside of an SQL query.
- In order for an SQL injection attack to take place, the vulnerable website needs to directly include user input within an SQL statement.
- An attacker can then insert a payload that will be included as part of the SQL query and run against the database server.
The following server-side pseudo-code is used to authenticate users to the web application.
# Define POST variables
uname = request.POST['username']
passwd = request.POST['password']
# SQL query vulnerable to SQLi
sql = “SELECT id FROM users WHERE username=’” + uname + “’ AND password=’” + passwd + “’”
# Execute the SQL statement
The above script is a simple example of authenticating a user with a username and a password against a database with a table named users, and a username and password column.
- The above script is vulnerable to SQL injection because an attacker could submit malicious input in such a way that would alter the SQL statement being executed by the database server.
- A simple example of an SQL injection payload could be something as simple as setting the password field to password’ OR 1=1.
- This would result in the following SQL query being run against the database server.
SELECT id FROM users WHERE username=’username’ AND password=’password’