✔️ Ability to attack web applications' users

✔️ Ability to control web application's content

✔️ Gain advanced web attack skills

→ vulnerability that lets attacker control some part of a web application

→ attacker can target web application users

• what all can we do by exploiting an XSS:
• actors involved in an XSS:

🕸️Vulnerable Web Application

when web app uses unfiltered user input to build output content

content is displayed

→ this way an attacker controls the output

→ using HTML and Javascript

attack on application user

in this attack, the user input is any parameter coming from client side:

• request headers
• cookies
• form inputs
• POST parameters
• GET parameters
• Prevention of XSS:

👥Users

victims of the XSS

• visitors
• even admin himself

what happens:

1. inject malicious code,
2. code is displayed in the output,
3. malicious code is rendered by browsers of visitors

Victim will not recognize he/she is being attacked

🕵️‍♂️Attackers

Attacker exploits XSS like this

1. make the browser load malicious content
2. perform operations on their (victim) behalf (change password, buy items)
3. steal the session cookie (allowing them to impersonate visitor)

Leads to entire website takeover if attacker steals cookies of admin!!