Recent Blog Posts

XSS (Cross-Site Scripting) - One Of The Most Notorious Vulnerability



This article is for educational purposes*

Today's Internet is so-called secure by many people who get a good experience of security within their mobile phones. But they don't realize what it takes for mobile companies to make their products equipped with security features which includes making the phone resist many buffer overflow vulnerabilities and many flaws that could have quickly taken over the phone if the company did not aIn today's world, the Internet is an integral part of our lives and we rely heavily on our mobile phones to access it.

As such, it is essential that our phones are secure and protected from potential security threats. However, many people may need to be fully aware of the level of effort mobile companies put into ensuring the security of their products.


Knowing XSS Attacks

Here are some common three types of XSS Attacks you should know about-

1. DOM-Based XSS Attacks

DOM-based XSS is a type of attack where client-side scripts change the Document Object Model (DOM) of a web page. The malicious script is executed in the victim's browser, rather than being processed by the server. Attackers take advantage of vulnerabilities in the client-side scripts to manipulate the DOM and perform harmful actions. Detecting and preventing DOM-based XSS attacks can be difficult because they do not require direct communication with the server.

2. Reflected XSS Attacks

Reflected XSS attacks involve embedding a harmful script within a URL and sending it to the intended victim. Once the victim clicks on the URL, the script executes itself, but only for the current session and doesn't persist. The injected script is generally a part of a URL or a form input. These types of attacks commonly rely on social engineering techniques to deceive users into clicking on malicious links.

3. Stored-XSS Attacks

Stored XSS occurs when the malicious script is stored on the target server by the attacker. It is then delivered to users whenever they access a particular page, which potentially leads to the execution of the script in their browsers. Attackers often target the areas where the user input is stored like comment sections, forums, or user profiles. When other users view the compromised content, the script executes, and their data can be stolen.


An XSS attack occurs when an attacker injects harmful code into a website that is being viewed by the user. It's important to note that this can happen on any website, even the ones that you visit regularly. These attacks are spread through webservers that use HTML and Javascript. Once the user visits the infected website, the script is executed, which can lead to sensitive data being stolen, such as session cookies. Attackers can even perform session hijacking and CSRF attacks on the server. If an attacker gains access to the admin account of the webpage, they can cause a lot of damage. This way an attacker can create a loophole, allowing other people to access the webserver with high privileges.

Not only that but an attacker can also possibly gain a reverse shell to the webserver, which allows him to send many commands to it to perform malicious actions. In the least likely occurring case, if an attacker discovers a buffer overflow RCE vulnerability on the webserver then he can even get out of the browser sandbox and perform commands against the target Operating System which is really scary as it involves being compromised with just a link from the attacker. 

Discovering vulnerabilities on well-known platforms, such as Google or Instagram, can significantly boost your bug bounty reward up to $60,000 or even more. So do make sure to inform the company about it and be secure, making others secure.


Exploitability Origin On Social Media



There can be many reasons for an XSS attack to occur on a website or a webpage created by a person.

  • Inadequate Input Validation

Social media platforms often allow users to input text, images, and links. If the platform fails to validate and sanitize this input properly, attackers can inject malicious scripts. When other users view the compromised content, the script executes in their browsers, leading to potential account compromise.

  • Third-Party Apps
This again is one of the most common reasons for getting exploited by an attacker. Social media platforms offer APIs to integrate third-party applications. If these applications are not properly secured, they can become an attacker's house doorway point. Black-hat hackers can exploit vulnerabilities in these apps to launch XSS attacks on users when they grant permissions, taking absolute control over their accounts
  • Persistent XSS
In persistent XSS attacks, the malicious script is stored on the server and is executed by users automatically whenever they access a specific page. Attackers can exploit vulnerabilities in social media platforms to inject persistent scripts into user profiles, posts, or comments. Anyone who views the compromised content falls for the attack and his data is extracted corresponding to the content of the malicious script.


Preventing XSS Attacks



  • Input Sanitization
As a website developer, it's crucial to have basic security measures in place to sanitize input fields on your website. Unfortunately, I've seen many social media platforms neglecting this important step. I remember the Instagram XSS attack that occurred not too long ago, which allowed attackers to exploit the vulnerability to their heart's content, but soon it was patched.

  • Content Security Policy
Although XSS attacks are scary, it doesn't mean that they can't be made less scary by implementing some security measures like Content Security Policy which is one of the methods. Implementing CSP headers helps prevent XSS attacks by restricting the sources from which content can be loaded on a webpage. It reduces the risk of executing injected scripts.

  • Education and Educating
I think this is the best method you can prevent an XSS attack from occurring on your device from an unknown link, the method is obviously education. Now that you know about XSS attacks from this article, you are educated and your goal becomes educating other people about this attack together we all can beat the Black Hat hackers in their own game.


Which point do you think is the most crucial one? Comment down below!

Comments