Cross Site Scripting known as [XSS] is an action of injecting malicious script into specific end point . the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page
the malicious code is being executed on the browser client side while visiting the injected End point , XSS is considered as the most reported web vulnerability on modern websites .
Private Blogging System between Administrator and Low Registered users . the application allows Users to submit articles into Administrations Side Verification Board .
All Submitted Articles are being listed with Post Title and shore description on the admin Side .
While Users are able to submit these as input forms as example shown below
<form action="/bloging" method="post"><div><label for="name">Name:</label><input type="text" id="name" name="user_name"></div><div><label for="title">title:</label><input type="title" id="title" name="post_title"></div><div><label for="msg">body:</label><textarea id="msg" name="user_message"></textarea></div></form>
we see that there are multiple inputs shown , the first thing to test is to inject specific script as post values . hopefully will be executed on admin side while rendering the page . there are common payloads to test XSS depends on how you are trying to escape that . in our case we will start with simple one
this payload will popup message with XSS value on Admin side if these value are not escaped while rendering the page .
so after attackers injected these . Admin will be notified that there are a holding submission on his own dashboard .
so while visiting to check , Popup message successfully executed on Administration Side . in this case attackers are able to inject other malicious payloads to steal Admin Session , or even trick him to do un wanted action through browser .
Escaping Content and preventing XSS with
Basic CSP to disable execution of in-line scripts
content-security-policy : default-src 'self';
Enable WAF Good be solution on Some Times Also