Non Persistent Xss Attack

on Tuesday 19 February 2013

The non-persistent XSS are actually the most commons vulnerabilities that can be found on the Net.

It's commonly named as "non-persistent" because it works on an immediate HTTP response from the

 victim website: it show up when the webpage get the data provided by the attacker's client to

automatically generate a result page for the attackers himself. Standing on this the attacker could

provide some malicious code and try to make the server execute it in order to obtain some result.

The most common applying of this kind of vulnerability is in Search engines in website: the attacker

writes some arbitrary HTML code in the search textbox and, if the website 


is vulnerable, the result page will return the result of these HTML entities.

Simply put, cross site scripting involves the injection of malicious code into a website. It is the most
  
common method of attack at the moment, as most large sites will contain at least one XSS

vulnerability. However, there is more than one type of XSS. The most commonly found is referred to

as "non persistent" XSS. 

None Persistent XSS

Non persistent as the title suggests means that the injected script isn't permanent and just appears for

 the short time the user is viewing the page. The best example of this is a basic coded search engine

for a site. Say for example, the site search script is in this format:

Site.com/search.php?search=text here 

Once something has been searched for, the script may display on the page something along the lines

of:

"Results for text here"

Simply echoing your search string straight onto the page without performing any validation checks.

What if we were to alter the search string to display html of JavaScript? For example:

Site.com/search.php?search=<font color=red>XSS</font> 

Site.com/search.php?search=<script>alert("XSS");</script>

If no sanitation checks are being performed by the search script, this will just be echoed straight onto

the page, therefore displaying an alert or red text. If there was no limit to the size, this could be used

 to display anything you want. 

However, since the attacker can only display code on their own pages, this isn't much of a threat to

other users. Although if the string was turned into Hex the search string may be slightly more hidden

and with a little deception could be used to trick users into thinking the link is legitimate. 


Note: This tutorial is only for Educational Purposes, I did not take any responsibility of any misuse, you will be solely responsible for any misuse that you do. Hacking email accounts is criminal activity and is punishable under cyber crime and you may get upto 40 years of imprisonment, if got caught in doing so.

2 comments:

Post a Comment