XSS hacking can happen to you while browsing the same website, what is it and how to avoid it?

 XSS hacking can happen to you while browsing the same website, what is it and how to avoid it?


When you hear the term cross-site scripting (XSS), you might think it's a bit complicated and technical. This is one such method, in which hackers place malicious code on the website to trap and attack the pages that users view. Let's consider an incident as a basis to understand what this process is like.




The semi worm phenomenon


This is the most famous incident of XSS that happened in 2005. It is said that 16-year-old Sami Kamkar started the attack. He now teaches ethical hacking on YouTube. You can click here to watch his video. At that time, he was using a social networking platform called MySpace. He did one such thing, which brought about a great change.




Sami wrote a script (code) and injected it into his MySpace profile. Whoever visited his profile, his profile was infected with that code. However, the person did not know the impact on the profile.


When the judge visited Sami's profile, the person unknowingly used the code to add Sami as a friend. And, the code itself knew the message that 'but most of all, Sami is my hero'. From that it spread in such a way that those who visited Sami's profile, their profiles themselves got infected. Similarly, the profile of the person who viewed another infected profile was also infected. Within 24 hours, millions of user accounts were infected.



Sami did this cable just for fun. However, due to its impact, a situation was created where the MySpace platform had to be offline. Meanwhile, Sami got into legal trouble. It revealed how a small incident turns into a terrible incident in cyberspace.


Cross Site Scripting Attack on PayPal


The payment service provider company PayPal has been used more since its inception due to its safe and reliable transactions. In 2006, a cross-site scripting vulnerability was discovered in PayPal.


With the help of this attack, the hacker could inject malicious code into PayPal's website. Through which they forced customers to reveal their sensitive information such as credit card numbers, social security numbers and ATM PINs.


The attacker could redirect the user to a fake webpage through PayPal's genuine webpage. It is also called fishing technique (the work of ensnaring users on the Internet like baiting a fish).


In that they used to request user for login. And, the user used to submit his personal details. The attackers collected such information in large quantities. Due to this, the possibility of identity theft and financial loss of the victim users increased.


But PayPal immediately discovered and resolved this security flaw. However, this incident highlighted the importance of strong security measures to protect user data in online payment systems.


British Airways data breach


Even a big company like British Airways could not survive an attack like XSS. In 2018, the data of millions of users was exposed due to XSS vulnerability in it. Due to a vulnerability in its website, hackers managed to inject malicious code.


Due to this, the user's information, including their payment details, fell into the hands of hackers. It is said that the personal and financial information of about 380,000 customers was stolen in this way.


What is Cross Site Scripting i.e. XSS?


Before discussing this topic, let's first know how a website is made. Generally, a website is made up of three elements: HTML, CSS and JavaScript. HTML gives shape, CSS determines design and JavaScript acts like a brain. If someone can somehow control the brain, then he can do whatever he wants.


Yes, if someone knows the secret code that controls this JavaScript, they can use the website as they want. Cross-site scripting is a method used to control the website. The hacker sends such a code, so that the website goes under the hacker's control. Or let's say he does what he wants.


Now let's understand how it works. First of all, after finding the XSS vulnerability, the attacker places the malicious code in the place where the visitors are visiting frequently. When a user visits that page, then the malicious code is executed in their browser ie search. And, the script steals sensitive information such as cookies, session tokens and personal information.


There are generally three types of XSS.


1) Stored XSS


A script that is permanently placed on a targeted server such as a database or message board. It is considered to be the worst form of XSS. As it is kept forever on the target server, whenever that page is visited by a new visitor, the code is executed. That is, whatever data the code has to steal, it takes that data.


For example, Facebook has a website where we comment on various posts. Now suppose the attacker injects a script into the comment section. Since the comments are stored in the database of the Facebook website, when a person views the comment section, the attacker's code is executed in his browser. and, cookies, Besides stealing logs, activity, it leads users to malicious websites.


2) Reflected XSS


A script that displays search results or error messages to the web server. It is not stored on the server like the stored XSS above. It is called reflected XSS because it is visible on the webpage.


The attacker places a malicious link containing a script where the user clicks on it. The script is specially placed in the search bar. Then an error-like popup appears in the search bar. And, the malicious script is executed and does its job of stealing data.


For example, you visited an e-commerce site. Now search for a product in the search bar. However, a link with an error message if an attacker has injected malicious code into it

(http://example.com/search?q=<script>alert('Hacked!')</script>) shows.


In this case, if you click on the link, the code will be executed and a popup alert will appear saying that it has been hacked. Then, with the help of that code, the attacker steals your sensitive information.


3) DOM Based XSS


Such an attack, which is executed from the client side. It does not require a request with the server. For example, there is a website, which uses JavaScript to read the parameters of the URL.


And, accordingly, the content of the webpage is updated. If there is a problem with JavaScript not sanitizing the input, the attacker creates a URL like this: http://example.com/#<script>alert('Hacked!')</script>. If the website trusts the attacker's input and updates the DOM without validating, the code is executed in the user's browser and the attacker steals the data.


How to avoid?


Looking at XSS, one might think that it is a technical flaw that is only a concern of developers. However, it affects all of us. When we log in to a website, send a message or comment, we trust that the platform is secure.


However, if a hacker discovers the weakness of that website and injects harmful code into it, then our data is also stolen. Therefore, website operators should take such matters seriously. The user should not login to the same website.

Comments

Popular posts from this blog

Artificial intelligence (AI) - the ability of a digital computer.

Facebook's name has been changed to 'rebranding'

What is SEO and how to do search engine optimization?

Labels

Social media Facebook of What a and phone on mobile This you are Do smartphone internet IT Android workforce Nepal app your from robot iPhone use Machine Learning for Python will company computer with account can data does password these twitter Apple digital feature Instagram Whatsapp YouTube like machine media not why Tiktok new ChatGPT China an be by free out people search that website without work Future India ML corona features find information make online or public video Elon Musk Microsoft One apps has market million social user users way year Intelligence Laptop US billion education history home protect service videos want Bitcoin Have Machine Learning Future Nepali Now Operators Scientists Wi-Fi Windows chrome code cyber download hacking money network photos tips world Amazon Artificial Intelligence Future Avoid Cryptocurrency Here If Know Learning TV Things artificial battery being browser human malware many need netflix photo security smart software study system there update which 10 15 Beginners Buy Deep Learning Did Privacy Who about business career chat cloud digital marketing down hacker marketing millions number phones sent virus when work force Agriculture Bug Deep Earth GPS Gmail Google Maps Kaggle Keep NASA RAM Than Top Windows 11 World Cup Xiaomi address after also as at available camera change dangerous difference drive earn easy email going its job jobs language life look may message news old open price really search engine settings storage store such two used version watch windows 10 working 14 2020 2022 4 5 6 7 Cambridge Content Dark Web GB GPT Global Health-care Lite Maps Messages More Oppo Pakistan PayPal Print Pro QR Risk SEE SEO Samsung So Some Telegram TensorFlow Tutorial Type Types Vision Ways WiFi Zoom advertising attack been best better biggest blue brain chip comments country created cyber attacks don't electricity engine eyes fake files first football function game get go government hacked hackers hidden hours image install lost medical mind misused monitor moon once pay percent play problem processing program quantum robots scan science send share signal smartphones space stay story take their them thousands time topics tricks up using was water web where while wireless workers 000 2024 5G AI Education Alan Musk America Analytica Applications Army Blockchain Bounty CCTV COVID-19 Chat GPT Choose Clean Close Clubhouse Computer Vision Crypto DL Developer Development Docs Electric Explain Factory Finally Gemini Google chrome Google drive Healthcare Help Here's I IBM Japan Keras Kernels Large Lifestyle Looking MDMS Mac Models Musk Natural Ncell Net Notebooks PC Preparing Reasons Russia SIM SMS Save Scikit-Learn Skills SpaceX Stephen Hawking Sun Tesla Theme Therefore Thinking VPN Variables Word WorldLink ability accounts ads age airplane all any aware background bandwidth bank become beneficial between blocked bring bully cable call cameras captions capture care cause charge chatbots check come coming companies complete computers consumption copyright corona-virus courses create currency cyber security dataset datasets days delete deleted deleting details developed device dislike doctor documents doing domain due during dynamic energy engineer engineering exactly forever found fraud full gadgets games getting given good got guest handle his humans iOS iPhone 14 iPhones important including increase industry keyboard known launch law learn listen live manager map meaning megapixel memory messenger mode model month months most movies much name nonsense nuclear opening over own phishing physics porn post posts prevent problems product production programming protection quickly real-world reduce reward robotics run safe same saving say scandal searched selfie show site sold someone speaking speed spyware stuck students subscription systems target techology television tick today torrent traffic trillion universe upload verification voice war weakest women worldwide years & 'Buy the Dip' 'HDR' 'I' 'Mr. Beast' 'Professional Mode' 'football intelligence' 'hidden' 'refill station' (IoT) (LLM) (NLP) 1 100 10:10 10th 12 145 16 17 19 2 200 2007 25 35 3D 40 4000 48 4K 5 P's 60 7 C's 8 @everyone on A17 AI Tool AI ethics API AR Adjust Adobe Adopt Adsense Adsense Supports Africa Alexa Ali Baba Altman Amazon Jungle Amazon Prime Ambani American Anaconda Android 11 Android TV Android phone Annoyed Appoints Arithmetic Art Art through NFTs Artficial Intelligence Artificial neural Artuficial Intellegence Ashika Tamang Assignment Assistant Astronauts Astronomy Atrificial Inteligence Attacks Audiobooks Augmented Reality Australia Auto-GPT AutoML Avatar 2 Bachelors Banned Bard AI Based Because Before Bernie Sanders Big data BigQuery Bill Gates Bitwise Blind Blockchain Developer Blockchain Technology Books Brave Brave Browser Brazil C charger CPU CPU temperature CTEVT CV Cases Casting Changed ChatGBT Chery Chinese Citroën C5 Cloud Factory Cloud Factory Nepal Club House Colab Command Comparison Compute Concatenate Contactless Contactless payment system Copa America Copilot Couple Challenge Crash test Create your first Project on Python Crossover Cup DNS DRS Gaming Dark mode Datalab Deep Fake Deep Learinig Deep Learning with Python Deep Neural Networks Deepfake Demat Dept Development in predictive analytics Didn't Digital avatars Discontinuing Do not Dodge Dogecoin DuckDuckGo E-task EA ETF EU EV Earbuds Earth 2 Earthquake Edge Computing El Salvador Elected Electric Vehicles Electrical Elon Embedded Application Embedded Application (EA) Emoji Estimators Ethical Hacking Euro NCAP European Even Everyone Evolve Explained Explosion Express WiFi FPS Facebook Messenger Facebook's Facets Fears Federal Reserve System Finance Firefox FiveG Fixed wireless Follow Forge Fraud Call Freefire Freelancing GIF Git Gold Google Chat Google Cloud Google Meet Google Play Music Google Plus Google Plus code Google Workspace Google search Green room Greenroom. Spotify Guest Mode HDMI Happy Birthday Health sector Holi Honest Honeygain Huawei Hyundai ID IMD IP ISP Identify Implementing Includes Increasing Indonesia Inflation InfoSec Input Inspiration Installation Integrated circuit Intel Intelligent Internet of Things (IoT) Introduction Iranian Island Isn't JBL JPG JPMorgan Chase & Co Jack Ma January JavaScript Jio Joker Virus Jungle Jupyter Jupyter Notebooks Keys Korean LAN LLM LP Large Language Models Launch of better autonomous systems Lee Kun-hee Library Line Linux Logical Lucky MDMS Nepal ML Engine MSN MaAfee Mark Zuckerberg Max Meet Membership Mero Share Metaverse Microsoft Office Microsoft Teams Military Military weapons Mobile Operating System Module Mouse Mukesh Ambani Music Must NASA's NEA NFT NFTs Natural language processing (NLP) Nepal. radio mapping Nepali businesses Nepali game Nepali youth Nepalis NetTV Neural Network Neural Networks New Technology No Nokia North Korea Note Object Detection Open-source Opera Operating PDF PNG PPT PUBG Pandas Paytm Pendrive Photoshoot Pi Network Pip Plan Play Store Pokémon Pokémon Go Police Premium Preparations Prerequisite Prime Pro's Process Process discovery Pycharm Pyenv Python Programming Python Tutorial Python Tutorials Python for Beginners Python on Windows Quick Draw RCS Race Radically Ransomware Rashtra Bank Reboot Recommender Recommender Systems Redmi Reinforcement Reinforcement learning Reliance Reliance Jio Remove. bg Replacing Revolution Rice that grows for years once planted Rises Robot Sophia Roles Ronaldo Routine of Nepal Banda S&P 500 S&P Global Ratings SD Scale Scaling Scikit Screen Pinning Selection Seven Shorts Singapore Sitting SixG Snapchat Sophia South Korea Space X Spam Stable Coin Starlink Steve Jobs Stock market String Success Sundar Pichai Supermarket Supervised Supervised Learning Supervised Machine Learning Supply Chain Attack Supports Swift TIFF Telecom TensorBoard TensorFLow Hub Thes Tiktok stop Time Travel Tool Training Data Transforming Trojan Truecaller Trump Trusting Type-C US Congress USA USB United States Unnecessary Unsupervised Unsupervised Learning Unsupervised LearningUnsupervised Machine Learning Unsupervised Machine Learning Upcoming Upcoming Technology Urges Using a drone VPNs VR Vehicles Virtual reality Virtualenv Visualize WWW Wait Walkthrough Walmart WeChat Wha What are Assignment Operators in Python What are Comparison Operators in Python What are Logical Operators in Python What are Operators in Python What are the basic laws of quantum physics What is What is Chat GPT What is Google Adsense What is Pycharm What is Python What is String in Python What is Variable in Python Whose Wi-Fi 6 Wikipedia WordPress Wrangling data Write X X8 series XAI XOR XSS YouTuber Ziglar Zipty Zuckerberg admin advertisers again agency agricultural ai beauty air aircraft aired alert algorithm almost along alpha alternative analytics ancient angles announcement announces another answer answering antivirus anyone anything appear appearance appliances approach approaching approaching science meaning apps. google article artificial blood vessels arts associated attention audience automatic automatically autonomous avatars back backed ban bans bar basic batteries becoming beginner benefit benefits bitcoin mine bitcoins black block boarding bogged book bought box brand break brings broadband brought browsing bug bounty build but buttons buying bypass cable internet cables calculus calls campaign can't cancer cannot car cards careeer carry cave center challenge channel charger charging chat.com cheap cheaper checkmarks chess child children choose. a class clicking climbers clock closest club coding colleges color combat common communicate compensates compete competing computer mouse computer science concept connect cons control controls controversies could countries credit crisis criteria crore crores crowdsourcing culture cyberattack d about damaged danger dark data center data science dating apps day debit dedicated delete data depression destination devices diary die different digit digital cameras digital land digital privacy disappeared disappearing discovered discovery displaced display document dog dollars doodle door downloads dream drone drug trafficking e features e-Rupee e-books e-passport e-sewa eBooks ePassport each earn money from Nepal easier eating economy edit effective electronic else email server emails emerged emergency emojis employee employees end enough espionage etflix ethics except excessive excuse existence expected expire extracts eye face app facial verification facts family far farm fax fdown.net fee feet fiber fight file film final five flying foldable food footprint forced foreigners forget forgotten form formats foundation free upgrade frequency freshman from search fruit fuel game tips gamer gas gasoline geometry gets gives glasses goes good content goodbye goods google docs gossip granted great groups growing had hall hand handy happen happy harmful he head headphones headset heater hobby human brain human intelligence human trafficking hundreds hurting hydrogen hype iCloud iPhone 12 Pro illegal data illicit trade image processing processor images impair inbox incidents income increased incur insecure instant instrument interest internal storage internet speed into intranet introduced invented invention invest investment invites jack join journalists journey kit laboratory lakh languages last later latest launched launching lawmakers laws leak leaks legalize let letter letters light likes link lives loaded location locked longest lose loss love machine vision made main main features makes man manage management system mango marketplace martial mask matches measuring meetings melting meme messaging meta microphone middle million. downloads mine mistake mistakes mobile number moble moment monitors mountain move movie moving mute name-x naming near necessary neural neural networking new code new look new windows news anchor night mode non notes notifications now.gg nuclear energy obscene official offline open source opened operate operated operating system opposed optic optical fiber optimization option options other others our outbreak oversold owner page paid pandemic paper participant participate passports password. passwords patent pattern paying payment pen drive permanent permission person personal perspective phone confidential picture pictures pirated placed planting platform platforms political pop-up popular popularity port possible powered practice predictive pregnant prepared principles private prize processor product key programmatically programming languages project prompt property pros protected proxies proxy quantum computer quantum internet quires quota r daily radio rain rainy season rate reach reading ready real reason rebranding record recovery reform refresh refreshes refrigerator regarding registered registration regulators relationship released remain remove removes removing repairing replace report requiring reset residence resolution responsibilities restaurants returned revenue review rings risks risky road robotic dog rocket room rooms round ruin rules running safely safety sale satellite saying says scary schedule scheme schools screen screens search engines secret secretly secure selectric cars sell semi-final semiconductor sending series server services shared ships shocked shortage should shoulders shuffled shuts shutting sidebar simple since sites sky sleeping smartblock smartly social engineering hacking software. tech solve somewhere soon source sources space center space debris spacecraft spaceships special spectrum spend spending sponsors sports spying star starship start starting starvation steps stocks stolen stop stories strategy streaming student studying subject subscribers successful suggested suggestions suitable suitcase surface surprised survive t are tag tagging talent talk teach team technlogy technoloy technonlogy telecommunication terminology test text they think thousand thread threat to through throwaway timer tinder toilet too took topic tossing touch pad tracking trackpad trading transact transport travel trending trends trip turn turns tweets unbuyable unemployed unemployment unpleasant unregistered unsafe unseen unveils upgrades useful uses various versatility very view viral virtual virtual currency virtual world vishing visit visiting vulnerabilities warning washing waterproof we weapons web design websites week well went were wet willing woman works workspace world war worrie worth writer written wrong young
Show more