Share
## https://sploitus.com/exploit?id=670D5608-2D02-5195-9738-E34DCF516C1D
# 100-days-challenge-day-30-XSS-attacks

XSS attacks demonstrated how attackers steal sessions and manipulate users.

XSS Attacks (Cross-Site Scripting)

 What is XSS?
 
XSS is a web vulnerability where attackers inject malicious JavaScript into a trusted website.

When users load the page, the script runs in their browser — allowing attackers to steal data, hijack sessions, or manipulate content.

How XSS Works (Simple Flow)

1️ Website takes user input (search, comment, form)

2️ Input is not properly filtered or escaped

3️ Malicious script is stored or reflected on a page

4️ Victim opens the page

5️ Script executes in victim’s browser

Learning Demo (Safe Example)

If a site is vulnerable and displays raw input:

alert('XSS')

A popup appears — proving JavaScript execution is possible.

Types of XSS

Type	Description

Reflected XSS	Script comes from URL or form and runs immediately

Stored XSS	Script saved in database (comments, profiles, posts)

DOM-Based XSS	JavaScript modifies page content insecurely in browser

What Attackers Can Do

Steal session cookies, Hijack logged-in accounts, Log keystrokes, Redirect to phishing pages, Modify website content

Prevention (Developer View)

Escape output (HTML encoding),  Sanitize all inputs, Use Content Security Policy (CSP), Avoid innerHTML in JavaScript, Set cookies: HttpOnly, Secure, SameSite, Use security frameworks/libraries

XSS Attacks Demonstrated (Cross-Site Scripting)

 What is XSS?
 
XSS (Cross-Site Scripting) is a vulnerability where attackers inject malicious JavaScript into a trusted website.

When users visit the page, the script runs in their browser — stealing cookies, sessions, or redirecting them to fake pages.

Simple Demonstration 

 Scenario
 
A website has a search box or comment field that displays user input without validation.

1️ Iput Field

User enters this:

alert('XSS Attack!')

2️ What Happens?

If the website is vulnerable:

The script executes in the browser, A popup appears saying:"XSS Attack!" This proves JavaScript injection is possible

Real-World Impact

Instead of alerts, attackers can run:

Steal cookies, Hijack login sessions, Log keystrokes, Redirect to phishing sites

Types of XSS (Quick View)

Type	Description

Reflected XSS	Script comes from URL input and runs immediately

Stored XSS	Script saved in database (comments, profiles)

DOM-Based XSS	JavaScript modifies page content insecurely

Prevention Tips

Input escaping (HTML encoding), Use Content Security Policy (CSP),  Validate & sanitize all inputs, Avoid innerHTML in JavaScript,  Use secure frameworks

How Attackers Steal Sessions & Manipulate Users

 What Is a Session?
 
When you log into a website, the server gives your browser a session ID (cookie).

This ID proves you’re authenticated — you don’t need to log in on every page.

If an attacker gets this cookie, they can become you on that website.

1 Session Stealing (Session Hijacking)

 The Goal
 
Steal the victim’s session cookie and reuse it to access their account.

Common Learning Scenario (XSS-Based)

 Vulnerable Website
 
A site allows users to post comments without filtering scripts.

 What Happens
 
An attacker injects malicious JavaScript into a comment.

When a victim views it, the script runs in their browser.

 Result
 
The script can silently:

Read the session cookie, Send it to an attacker-controlled server, Let the attacker reuse it to log in as the victim

Other Ways Sessions Get Stolen

Method	How It Works

Public Wi-Fi Sniffing	Captures unencrypted cookies on insecure networks

Malware / Browser Extensions	Reads cookies from infected devices

Session Fixation	Forces victim to use a known session ID

Phishing	Tricks users into logging in on fake sites

2️ How Attackers Manipulate Users

Once attackers control a session or inject scripts, they can:

 Spy On Users
 
Log keystrokes, Read private messages, Track browsing behavior

 Redirect Users
 
Send them to fake login pages, Force downloads of malware, Show scam popups

 Modify Page Content
 
Change payment details, Replace links with malicious ones, Show fake security warnings

Real-World Example (Safe Explanation)

A victim logs into a site at a café using open Wi-Fi.

An attacker intercepts the session cookie.

Now the attacker opens the site and is already logged in as the victim — no password needed.

How to Prevent This (Defender View)

 For Developers
 
•	 Use HTTPS everywhere

•	 Set cookies as:

o	HttpOnly

o	Secure

o	SameSite=Strict

 Implement Content Security Policy (CSP), Sanitize and escape all user inputs, Regenerate session IDs after login.
 
 For Users
 
 Avoid public Wi-Fi for logins, Use browser security extensions, Enable 2FA, Don’t click suspicious links.
 
#XSS

#WebSecurity 

#CyberSecurity

#EthicalHacking

#BugBounty 

#JavaScriptSecurity

#InfoSec

#SessionHijacking 

#VAPT 



Academy: SKILLSUPRISE


Mentor: Manojkumar Koravangi