Cross site scripting (XSS) occurs when a user inputs malicious data into a website, which causes the application to do something it wasn’t intended.
Some website features commonly vulnerable to XSS attacks are:
Local – Local XSS attacks are by far the rarest and the hardest to pull off. This attack requires an exploit for a browser vulnerability. With this type of attack, the hacker can install worms, spambots, and backdoors onto your computer.
Non-Persistent – Non-persistent attacks are the most common types of attack and don’t harm the actual website. Non-persistent attacks occur when a scripting language that is used for client-side web development or HTML is inserted into a variable which causes the output that the user sees to be changed. Non-persistent attacks are only activated when the user visits the URL crafted by the attacker.
Persistent – Persistent attacks are usually used against web applications like guest books, forums, and shout boxes. Some of the things a hacker can do with a persistent attacks are:
Steal website cookies
Deface the website
Reflected Cross-site Scripting (XSS) occur when an attacker injects browser executable code within a single HTTP response. The injected attack is not stored within the application itself.
1:First of all, we have to find a input field so that we can inject our own script, for example: search box, username,password or any other input fields. Once we found the input field, let us try to put some string inside the field, for instance let me input "abcd". It will display the result “hi abcd”.It means reflective script is working in website.
<script>alert('abcd')</script>.Now it will display pop-up box with 'abcd' string. Finally, we successfully exploit the XSS . By extending the code with malicious script, a hacker can do steal cookies or deface the site and more.