Secondary Categories: 02-Web Application
Description:
- Stored XSS
- When the application recieves the data from the attacker and includes it later in HTTP responses in an unsafe way.
- Example: Blog post or comment section that allows the user or attacker to enter text in a field and save it to the page. This can be an issue to the developer and the clients that visit the page because each time client or victim visits the page the script or code that we stored into the page is executed since the page is being loaded. This opens the possibility for the attacker to collect cookies, usernames, and other info that may be used for accessing the victims data
- Testing: In order to find XSS attack vectors you neex to test all the relevant entry and exit points via attacker-controllable data. The entry points may include parameters that are passed or other data that is passed in the URL string. or the URL file path. The exit points may be found in HTTP responses that are returned from any application. It may be helpful to use something like BurpSuite to automate testing for XSS
- Links:
- When the application recieves the data from the attacker and includes it later in HTTP responses in an unsafe way.
Resources:
| Title | URL |
|---|---|
| place | holder |