## https://sploitus.com/exploit?id=670D5608-2D02-5195-9738-E34DCF516C1D
# 100-days-challenge-day-30-XSS-attacks
XSS attacks demonstrated how attackers steal sessions and manipulate users.
XSS Attacks (Cross-Site Scripting)
What is XSS?
XSS is a web vulnerability where attackers inject malicious JavaScript into a trusted website.
When users load the page, the script runs in their browser — allowing attackers to steal data, hijack sessions, or manipulate content.
How XSS Works (Simple Flow)
1️ Website takes user input (search, comment, form)
2️ Input is not properly filtered or escaped
3️ Malicious script is stored or reflected on a page
4️ Victim opens the page
5️ Script executes in victim’s browser
Learning Demo (Safe Example)
If a site is vulnerable and displays raw input:
alert('XSS')
A popup appears — proving JavaScript execution is possible.
Types of XSS
Type Description
Reflected XSS Script comes from URL or form and runs immediately
Stored XSS Script saved in database (comments, profiles, posts)
DOM-Based XSS JavaScript modifies page content insecurely in browser
What Attackers Can Do
Steal session cookies, Hijack logged-in accounts, Log keystrokes, Redirect to phishing pages, Modify website content
Prevention (Developer View)
Escape output (HTML encoding), Sanitize all inputs, Use Content Security Policy (CSP), Avoid innerHTML in JavaScript, Set cookies: HttpOnly, Secure, SameSite, Use security frameworks/libraries
XSS Attacks Demonstrated (Cross-Site Scripting)
What is XSS?
XSS (Cross-Site Scripting) is a vulnerability where attackers inject malicious JavaScript into a trusted website.
When users visit the page, the script runs in their browser — stealing cookies, sessions, or redirecting them to fake pages.
Simple Demonstration
Scenario
A website has a search box or comment field that displays user input without validation.
1️ Iput Field
User enters this:
alert('XSS Attack!')
2️ What Happens?
If the website is vulnerable:
The script executes in the browser, A popup appears saying:"XSS Attack!" This proves JavaScript injection is possible
Real-World Impact
Instead of alerts, attackers can run:
Steal cookies, Hijack login sessions, Log keystrokes, Redirect to phishing sites
Types of XSS (Quick View)
Type Description
Reflected XSS Script comes from URL input and runs immediately
Stored XSS Script saved in database (comments, profiles)
DOM-Based XSS JavaScript modifies page content insecurely
Prevention Tips
Input escaping (HTML encoding), Use Content Security Policy (CSP), Validate & sanitize all inputs, Avoid innerHTML in JavaScript, Use secure frameworks
How Attackers Steal Sessions & Manipulate Users
What Is a Session?
When you log into a website, the server gives your browser a session ID (cookie).
This ID proves you’re authenticated — you don’t need to log in on every page.
If an attacker gets this cookie, they can become you on that website.
1 Session Stealing (Session Hijacking)
The Goal
Steal the victim’s session cookie and reuse it to access their account.
Common Learning Scenario (XSS-Based)
Vulnerable Website
A site allows users to post comments without filtering scripts.
What Happens
An attacker injects malicious JavaScript into a comment.
When a victim views it, the script runs in their browser.
Result
The script can silently:
Read the session cookie, Send it to an attacker-controlled server, Let the attacker reuse it to log in as the victim
Other Ways Sessions Get Stolen
Method How It Works
Public Wi-Fi Sniffing Captures unencrypted cookies on insecure networks
Malware / Browser Extensions Reads cookies from infected devices
Session Fixation Forces victim to use a known session ID
Phishing Tricks users into logging in on fake sites
2️ How Attackers Manipulate Users
Once attackers control a session or inject scripts, they can:
Spy On Users
Log keystrokes, Read private messages, Track browsing behavior
Redirect Users
Send them to fake login pages, Force downloads of malware, Show scam popups
Modify Page Content
Change payment details, Replace links with malicious ones, Show fake security warnings
Real-World Example (Safe Explanation)
A victim logs into a site at a café using open Wi-Fi.
An attacker intercepts the session cookie.
Now the attacker opens the site and is already logged in as the victim — no password needed.
How to Prevent This (Defender View)
For Developers
• Use HTTPS everywhere
• Set cookies as:
o HttpOnly
o Secure
o SameSite=Strict
Implement Content Security Policy (CSP), Sanitize and escape all user inputs, Regenerate session IDs after login.
For Users
Avoid public Wi-Fi for logins, Use browser security extensions, Enable 2FA, Don’t click suspicious links.
#XSS
#WebSecurity
#CyberSecurity
#EthicalHacking
#BugBounty
#JavaScriptSecurity
#InfoSec
#SessionHijacking
#VAPT
Academy: SKILLSUPRISE
Mentor: Manojkumar Koravangi