The non-persistent XSS are actually the most commons vulnerabilities that can be found on the Net.
It's commonly named as "non-persistent" because it works on an immediate HTTP response from the
victim website: it show up when the webpage get the data provided by the attacker's client to
automatically generate a result page for the attackers himself. Standing on this the attacker could
provide some malicious code and try to make the server execute it in order to obtain some result.
The most common applying of this kind of vulnerability is in Search engines in website: the attacker
writes some arbitrary HTML code in the search textbox and, if the website
is vulnerable, the result page will return the result of these HTML entities.
Simply put, cross site scripting involves the injection of malicious code into a website. It is the most
common method of attack at the moment, as most large sites will contain at least one XSS
vulnerability. However, there is more than one type of XSS. The most commonly found is referred to
as "non persistent" XSS.
None Persistent XSS
Non persistent as the title suggests means that the injected script isn't permanent and just appears for
the short time the user is viewing the page. The best example of this is a basic coded search engine
for a site. Say for example, the site search script is in this format:
Site.com/search.php?search=text here
Once something has been searched for, the script may display on the page something along the lines
of:
"Results for text here"
Simply echoing your search string straight onto the page without performing any validation checks.
What if we were to alter the search string to display html of JavaScript? For example:
Site.com/search.php?search=<font color=red>XSS</font>
Site.com/search.php?search=<script>alert("XSS");</script>
If no sanitation checks are being performed by the search script, this will just be echoed straight ontothe page, therefore displaying an alert or red text. If there was no limit to the size, this could be used
to display anything you want.
However, since the attacker can only display code on their own pages, this isn't much of a threat to
other users. Although if the string was turned into Hex the search string may be slightly more hidden
and with a little deception could be used to trick users into thinking the link is legitimate.
We all know Infidelity sucks and sometimes some people find it difficult to spot if their spouse is cheating on them Therefore, if you ever suspect your partner is cheating on you and you need to find out with evidence to prove it; contact – samahackingworld . com or samahackingworld @ gmail . com , they are the best when it comes to online hacking . contact and you will be surprise with their job .
ReplyDelete