EXP6

The document outlines an experiment focused on Cross-Site Scripting (XSS) vulnerabilities, explaining the nature of XSS as a client-side code injection attack that targets web browsers. It details how attackers can exploit unsanitized user input to execute malicious scripts, potentially leading to serious consequences like cookie theft and identity theft. The document also describes the mechanisms of XSS attacks and emphasizes the importance of understanding these vulnerabilities in the context of online security.

Uploaded by

pareshgupta2004

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

5 views2 pages

EXP6

Uploaded by

pareshgupta2004

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 2

Academic Year: 2025-26 Name of Student:

Semester: VII Student ID:

Class / Branch/ Div: BE- IT/A Roll No.
Subject: SAD Lab Date of Submission:
Name of Instructor:

Experiment No: 06

1. Aim: To study Cross-Site Scripting (XSS) vulnerability lab.

2. Theory:

• Cross-site Scripting (XSS)-

Cross-site Scripting (XSS) is a client-side code injection attack. The attacker aims to
execute malicious scripts in a web browser of the victim by including malicious code
in a legitimate web page or web application. The actual attack occurs when the victim
visits the web page or web application that executes the malicious code. The web page
or web application becomes a vehicle to deliver the malicious script to the user’s
browser. Vulnerable vehicles that are commonly used for Cross-site Scripting attacks
are forums, message boards, and web pages that allow comments.

A web page or web application is vulnerable to XSS if it uses unsanitized user input in
the output that it generates. This user input must then be parsed by the victim’s browser.
XSS attacks are possible in VBScript, ActiveX, Flash, and even CSS. However, they
are most common in JavaScript, primarily because JavaScript is fundamental to most
browsing experiences.

• What Can the Attacker Do with JavaScript?

XSS vulnerabilities are perceived as less dangerous than for example SQL Injection
vulnerabilities. Consequences of the ability to execute JavaScript on a web page may
not seem dire at first. Most web browsers run JavaScript in a very tightly controlled
environment. JavaScript has limited access to the user’s operating system and the user’s
files. However, JavaScript can still be dangerous if misused as part of malicious
content:

Malicious JavaScript has access to all the objects that the rest of the web page has access
to. This includes access to the user’s cookies. Cookies are often used to store session

Department of Information Technology | APSIT

tokens. If an attacker can obtain a user’s session cookie, they can impersonate that user,
perform actions on behalf of the user, and gain access to the user’s sensitive data.
JavaScript can read the browser DOM and make arbitrary modifications to it. Luckily,
this is only possible within the page where JavaScript is running.
JavaScript can use the XMLHttpRequest object to send HTTP requests with arbitrary
content to arbitrary destinations.
JavaScript in modern browsers can use HTML5 APIs. For example, it can gain
access to the user’s geolocation, webcam, microphone, and even specific files from the
user’s file system. Most of these APIs require user opt-in, but the attacker can use social
engineering to go around that limitation.
The above, in combination with social engineering, allow criminals to pull off
advanced attacks including cookie theft, planting trojans, keylogging, phishing, and
identity theft. XSS vulnerabilities provide the perfect ground to escalate attacks to more
serious ones. Cross-site Scripting can also be used in conjunction with other types of
attacks, for example, Cross-Site Request Forgery (CSRF).
There are several types of Cross-site Scripting attacks: stored/persistent XSS,
reflected/non-persistent XSS, and DOM-based XSS. You can read more about
them in an article titled Types of XSS.

• How Cross-site Scripting Works-

There are two stages to a typical XSS attack:

1. To run malicious JavaScript code in a victim’s browser, an attacker must first

find a way to inject malicious code (payload) into a web page that the victim
visits.
2. After that, the victim must visit the web page with the malicious code. If the
attack is directed at particular victims, the attacker can use social engineering
and/or phishing to send a malicious URL to the victim.

Conclusion-
Hence, we learned what is XSS and how it works. Cross-site scripting vulnerabilities
remain one of the major causes of online attacks. Most of the vulnerable areas include
search and login pages that return a response or an error message to the browser – as
well as comment fields that allow script tags.

Department of Information Technology | APSIT

BCIT IT Services Catalogue
80% (5)
BCIT IT Services Catalogue
138 pages
Experiment 7
No ratings yet
Experiment 7
9 pages
Cnise4 Group2..
No ratings yet
Cnise4 Group2..
8 pages
Experiment 7
No ratings yet
Experiment 7
3 pages
WMS Exp 2
No ratings yet
WMS Exp 2
8 pages
Prevention of Cross-Site Scripting Attacks XSS On
No ratings yet
Prevention of Cross-Site Scripting Attacks XSS On
5 pages
XSS Attack and How To Mitigate It
No ratings yet
XSS Attack and How To Mitigate It
8 pages
Cross Site Scripting
No ratings yet
Cross Site Scripting
15 pages
Broken Web Security
No ratings yet
Broken Web Security
87 pages
Cross Site Scripting (XSS)
No ratings yet
Cross Site Scripting (XSS)
32 pages
Ethical Hacking: XSS Lab Guide
No ratings yet
Ethical Hacking: XSS Lab Guide
10 pages
Cross-Site Scripting (XSS)
No ratings yet
Cross-Site Scripting (XSS)
17 pages
Cross Site Scripting XSS
No ratings yet
Cross Site Scripting XSS
31 pages
What Is Cross-Site Scripting (XSS) ?
No ratings yet
What Is Cross-Site Scripting (XSS) ?
4 pages
Cross-Site Scripting Attacks Procedure and Prevention Strategies
No ratings yet
Cross-Site Scripting Attacks Procedure and Prevention Strategies
3 pages
Cybersecurity 11 Feb (Part 1)
No ratings yet
Cybersecurity 11 Feb (Part 1)
25 pages
Week13 Essay2-Vxd240002
No ratings yet
Week13 Essay2-Vxd240002
2 pages
Cross-Site Scripting (XSS) : The End User's Browser Has No Way To Know That The Script Should
No ratings yet
Cross-Site Scripting (XSS) : The End User's Browser Has No Way To Know That The Script Should
13 pages
Advance XSS Handbook - Codelivly
No ratings yet
Advance XSS Handbook - Codelivly
68 pages
Lect24.1&25 - XSS and Its Demonstration Using DVWA
No ratings yet
Lect24.1&25 - XSS and Its Demonstration Using DVWA
44 pages
Cross-Site Scripting (XSS)
No ratings yet
Cross-Site Scripting (XSS)
6 pages
Beginner's Guide to XSS Security
No ratings yet
Beginner's Guide to XSS Security
8 pages
Paper 81-Cross Site Scripting Research A Review
No ratings yet
Paper 81-Cross Site Scripting Research A Review
7 pages
Cross Site Scripting: Name/Mohammed Aburas ID/382015800
No ratings yet
Cross Site Scripting: Name/Mohammed Aburas ID/382015800
17 pages
WMS Exp2
No ratings yet
WMS Exp2
6 pages
Final Report Sample
No ratings yet
Final Report Sample
6 pages
Cross Script Xss
No ratings yet
Cross Script Xss
3 pages
A Study On Removal Techniques of Cross-Site From Web Application
No ratings yet
A Study On Removal Techniques of Cross-Site From Web Application
7 pages
Information Security XSS Lab Guide
No ratings yet
Information Security XSS Lab Guide
14 pages
Ethical Hacking XSS BeeF
No ratings yet
Ethical Hacking XSS BeeF
16 pages
(CyberSec'24) Lab05 - Student Version
No ratings yet
(CyberSec'24) Lab05 - Student Version
29 pages
Chapter 1 Cyber Security
No ratings yet
Chapter 1 Cyber Security
5 pages
Cross Site Scripting Cheat Sheet
No ratings yet
Cross Site Scripting Cheat Sheet
3 pages
Cross-Site Scripting (XSS)
No ratings yet
Cross-Site Scripting (XSS)
8 pages
XSS Vulnerabilities Explained
0% (1)
XSS Vulnerabilities Explained
31 pages
XSS Attack Guide for Developers
No ratings yet
XSS Attack Guide for Developers
15 pages
Cross Site Scripting
No ratings yet
Cross Site Scripting
20 pages
Cross Site Scripting
No ratings yet
Cross Site Scripting
20 pages
CS Lab 7 PDF
No ratings yet
CS Lab 7 PDF
7 pages
Cross Site Scripting Presentation Slides
No ratings yet
Cross Site Scripting Presentation Slides
23 pages
10 Practical Scenarios For XSS Attacks
No ratings yet
10 Practical Scenarios For XSS Attacks
21 pages
WE - Cross Site Scripting
No ratings yet
WE - Cross Site Scripting
5 pages
Understanding XSS for Web Developers
No ratings yet
Understanding XSS for Web Developers
4 pages
Cross-Site Scripting (XSS)
No ratings yet
Cross-Site Scripting (XSS)
7 pages
NA
No ratings yet
NA
2 pages
Week 4 Cross - Site Scripting
No ratings yet
Week 4 Cross - Site Scripting
5 pages
Cross Site Scripting XSS CSS: Also Known As or
No ratings yet
Cross Site Scripting XSS CSS: Also Known As or
219 pages
Tutorial Guide: SSTF 2022 Hacker's Playground
100% (1)
Tutorial Guide: SSTF 2022 Hacker's Playground
28 pages
XSS Vulnerability Labs Guide
No ratings yet
XSS Vulnerability Labs Guide
12 pages
XSS Vulnerability Assessment and Prevention in Web Application
No ratings yet
XSS Vulnerability Assessment and Prevention in Web Application
4 pages
Chapter 3 Fundamentals of Cross-Site Scripting (XSS) Attack)
No ratings yet
Chapter 3 Fundamentals of Cross-Site Scripting (XSS) Attack)
22 pages
Cs Lab File
No ratings yet
Cs Lab File
30 pages
Serie 11
No ratings yet
Serie 11
3 pages
Reducing Attack Surface Corresponding To Type 1 Cross-Site Scripting Attacks Using Secure Development Life Cycle Practices
No ratings yet
Reducing Attack Surface Corresponding To Type 1 Cross-Site Scripting Attacks Using Secure Development Life Cycle Practices
4 pages
Xss Research
No ratings yet
Xss Research
2 pages
Xss Introduction
No ratings yet
Xss Introduction
9 pages
XSS Vulnerabilities
No ratings yet
XSS Vulnerabilities
6 pages
Xss Documentation
No ratings yet
Xss Documentation
6 pages
Security Primer XSS 1
No ratings yet
Security Primer XSS 1
1 page
Cross Site Scripting (XSS)
No ratings yet
Cross Site Scripting (XSS)
11 pages
INF Chapter 7 Summary
No ratings yet
INF Chapter 7 Summary
7 pages
Epublish User List
No ratings yet
Epublish User List
4 pages
Attack RC4 Stream Cipher
No ratings yet
Attack RC4 Stream Cipher
6 pages
Linux Firewall Exploration Lab
No ratings yet
Linux Firewall Exploration Lab
10 pages
MY Aadhaar
No ratings yet
MY Aadhaar
1 page
SOC2 Third Party Compliance Checklist
100% (2)
SOC2 Third Party Compliance Checklist
9 pages
Ilovepdf Merged
No ratings yet
Ilovepdf Merged
3 pages
Types of Penetration Testing
No ratings yet
Types of Penetration Testing
4 pages
Lecture 3
No ratings yet
Lecture 3
28 pages
cst300l Orduna Paper1
No ratings yet
cst300l Orduna Paper1
10 pages
New SNE-SNC
No ratings yet
New SNE-SNC
28 pages
03 Computer Viruses
No ratings yet
03 Computer Viruses
8 pages
Enterprise Database Security - A Case Study
No ratings yet
Enterprise Database Security - A Case Study
8 pages
Deepak Kumar: Project Management & AWS Expert
No ratings yet
Deepak Kumar: Project Management & AWS Expert
6 pages
Legislative Data Archiving System
No ratings yet
Legislative Data Archiving System
4 pages
Cloud Computing Concepts & Virtualization
No ratings yet
Cloud Computing Concepts & Virtualization
21 pages
Sample Document - ISMS-DOC-04-1 InfoSec Context, Reqts and Scope
No ratings yet
Sample Document - ISMS-DOC-04-1 InfoSec Context, Reqts and Scope
21 pages
Ict Impact Essay
No ratings yet
Ict Impact Essay
2 pages
Gujarat Technological University
No ratings yet
Gujarat Technological University
2 pages
Ebook - How To Get Your First Job in CS
100% (1)
Ebook - How To Get Your First Job in CS
28 pages
Odisha SPDP
No ratings yet
Odisha SPDP
2 pages
Network Security & Cryptography Guide
100% (1)
Network Security & Cryptography Guide
51 pages
Vikram Reddy Andem
No ratings yet
Vikram Reddy Andem
68 pages
Device For Off Line Micro Payments Resistant To Fraud by Using Wearable Physiological Sensors
No ratings yet
Device For Off Line Micro Payments Resistant To Fraud by Using Wearable Physiological Sensors
3 pages
MFE CostcoFlyer FNL 0322
No ratings yet
MFE CostcoFlyer FNL 0322
1 page
B Ise Admin Guide 22 PDF
No ratings yet
B Ise Admin Guide 22 PDF
1,234 pages
Basic Firewall Configuration - Fortigate To Mikrotik Ipsec VPN
No ratings yet
Basic Firewall Configuration - Fortigate To Mikrotik Ipsec VPN
5 pages
Final Report Review 2
No ratings yet
Final Report Review 2
20 pages
CAS 005 Exam Dumps
No ratings yet
CAS 005 Exam Dumps
9 pages