Java Script:
Java Script is a programming language of the web. It’s one of the
most popular and in demand skills in today’s job market for good
reason. JavaScript enables you to add powerful interactions to
websites.
A Scripting language understood by the browser. JS is embedded in
HTML pages. The browser Runs the “js” instead of displaying it.
Event Handler:
When
JavaScript is used in HTML pages, java script can “react” on
these events. When the page loads, it is called an event. When the
user clicks a button, that click too is an event. Other examples
include events like pressing any key, closing a window, resizing a
window, etc.
Onload:
Basically
java script uses “onload” function to load an object on any web
page. For example, I want to generate an alert for user those who
visit my website; I will give the following java script code,
<body onload=alert(‘Welcome to
infosecintellegence.blogspot.com’)>
So whenever the body tag loads, an alert will pop-up. Here the
loading of the body tag is an event and onload is an event handler
which decides what action will happen on that event.
Similarly, there are many java script event handlers which define
what event occurs for such type of action like scroll down of page,
or when an image fails to load etc.
Onmouseover:
Onmouseover,
when the user moves the cursor over the text, the additional code
will be executed. Example with following code,
<a onmouseover=alert(“50% discount”)>surprise</a>
onclick Use this to invoke JavaScript upon clicking (a link, or form
boxes)
onload Use this to invoke JavaScript after the page or an image has
finished loading
onmouseover Use this to invoke JavaScript if the mouse passes by some
link
onmouseout Use this to invoke JavaScript if the mouse goes pass some
link
onunload Use this to invoke JavaScript right after someone leaves
this page
Cross Site Scripting:
It
is a flaw in a web application that allows an attacker to execute
malicious “JavaScript” through code injection attack in another
victim’s browser. In this attack user is not directly targeted
through a payload, although attacker shoot the XSS vulnerability by
inserting malicous script into a web page that appears to be a
genuine part of the website to the users. Whenever any user visits
that website it will automatically send the malicious JavaScript code
to users browser without their knowledge.
{please look image 01}
There
are actually three types of Cross-Site Scripting, commonly knows as,
→ Persistent XSS
→ Non-persistent XSS
→ DOM-Based XSS
Persistent:
A
persistent XSS is also known as stored XSS because through this
vulnerability the injected malicious script get permanently stored
inside the web server and the application server gives out it back to
users who visits the website. When the client will click on payload
which appears as an official part of the website, the injected
JavaScript will get executed by the browser.
Eg:
Will execute below script with DVWA
<script>alert(document.cookie)</script>
{please look image 02}
Non-Persistent:
The
non-persistent XSS is also known as reflected XSS and it occurs when
the wen application respond immediately on user’s input without
validating the inputs, this lead an attacker to inject browser
executable code inside the single HTML response. It’s
named as non-persistent since the malicious script does not get
stored inside the web server, therefore attacker will send the
malicious link through phishing to trap the user.
Eg:
Will test below script with DVWA,
<script>alert(“Experiencing Hacking”)</script>
{please look image 03}
DOM-Based:
The Document Object Model is an API that increases the skill of
programmers or developers to produce and change HTML and XML
documents as programming objects.
The JavaScript language is used in DOM, which is also used for other
websites. Through JavaScript it allows programmer to make the dynamic
changes in HTML document can be accessed, modify, added or deleted
using the DOM.
When an HTML document is loaded into a web browser, it becomes a
document object. The document object is the root node of the HTML
document and the owner of all other nodes.
The HTML DOM model is constructed as a tree of Objects.
{please look image 04}
With the object model, JavaScript gets all the power it needs to
create dynamic HTML:
→ JavaScript can change all the HTML elements in the page
→ JavaScript can change all the HTML attributes in the page
→ JavaScript can change all the CSS styles in the page
→ JavaScript can remove existing HTML elements and attributes
→ JavaScript can add new HTML elements and attibutes
→ JavaScript can react to all existing HTML events in the page
→ JavaScript can create new HTML events in the page
The DOM-Based Cross-Site Scripting is a vulnerability which appears
in document object model instead of html page. An attacker is not
allowed to execute malicious script on the user’s website although
on user’s local machine in URL, it is quite different from
reflected and stored because in this attack developer cannot able to
find malicious script in HTML source code as well as in HTML
response, it can be observed at execution time.
The DOM-Based XSS exploits user’s computer by using below steps,
→ The attacker creates a well built malicious website
→ The ingenious user opens that sites
→ The user has a vulnerable page on his machine
→ The attacker’s website sends commands to the vulnerable HTML
page
→ The vulnerable local page execute that commands with the user’s
privileges on that machine
→ The attacker easily gain control on the victim machine
Eg: Will test below code with DVWA in DOM-Based XSS
#<script>alert(“you have been hacked”)</script>
{please look image 05}
