XSS hacking can happen to you while browsing the same website, what is it and how to avoid it?

 XSS hacking can happen to you while browsing the same website, what is it and how to avoid it?


When you hear the term cross-site scripting (XSS), you might think it's a bit complicated and technical. This is one such method, in which hackers place malicious code on the website to trap and attack the pages that users view. Let's consider an incident as a basis to understand what this process is like.




The semi worm phenomenon


This is the most famous incident of XSS that happened in 2005. It is said that 16-year-old Sami Kamkar started the attack. He now teaches ethical hacking on YouTube. You can click here to watch his video. At that time, he was using a social networking platform called MySpace. He did one such thing, which brought about a great change.




Sami wrote a script (code) and injected it into his MySpace profile. Whoever visited his profile, his profile was infected with that code. However, the person did not know the impact on the profile.


When the judge visited Sami's profile, the person unknowingly used the code to add Sami as a friend. And, the code itself knew the message that 'but most of all, Sami is my hero'. From that it spread in such a way that those who visited Sami's profile, their profiles themselves got infected. Similarly, the profile of the person who viewed another infected profile was also infected. Within 24 hours, millions of user accounts were infected.



Sami did this cable just for fun. However, due to its impact, a situation was created where the MySpace platform had to be offline. Meanwhile, Sami got into legal trouble. It revealed how a small incident turns into a terrible incident in cyberspace.


Cross Site Scripting Attack on PayPal


The payment service provider company PayPal has been used more since its inception due to its safe and reliable transactions. In 2006, a cross-site scripting vulnerability was discovered in PayPal.


With the help of this attack, the hacker could inject malicious code into PayPal's website. Through which they forced customers to reveal their sensitive information such as credit card numbers, social security numbers and ATM PINs.


The attacker could redirect the user to a fake webpage through PayPal's genuine webpage. It is also called fishing technique (the work of ensnaring users on the Internet like baiting a fish).


In that they used to request user for login. And, the user used to submit his personal details. The attackers collected such information in large quantities. Due to this, the possibility of identity theft and financial loss of the victim users increased.


But PayPal immediately discovered and resolved this security flaw. However, this incident highlighted the importance of strong security measures to protect user data in online payment systems.


British Airways data breach


Even a big company like British Airways could not survive an attack like XSS. In 2018, the data of millions of users was exposed due to XSS vulnerability in it. Due to a vulnerability in its website, hackers managed to inject malicious code.


Due to this, the user's information, including their payment details, fell into the hands of hackers. It is said that the personal and financial information of about 380,000 customers was stolen in this way.


What is Cross Site Scripting i.e. XSS?


Before discussing this topic, let's first know how a website is made. Generally, a website is made up of three elements: HTML, CSS and JavaScript. HTML gives shape, CSS determines design and JavaScript acts like a brain. If someone can somehow control the brain, then he can do whatever he wants.


Yes, if someone knows the secret code that controls this JavaScript, they can use the website as they want. Cross-site scripting is a method used to control the website. The hacker sends such a code, so that the website goes under the hacker's control. Or let's say he does what he wants.


Now let's understand how it works. First of all, after finding the XSS vulnerability, the attacker places the malicious code in the place where the visitors are visiting frequently. When a user visits that page, then the malicious code is executed in their browser ie search. And, the script steals sensitive information such as cookies, session tokens and personal information.


There are generally three types of XSS.


1) Stored XSS


A script that is permanently placed on a targeted server such as a database or message board. It is considered to be the worst form of XSS. As it is kept forever on the target server, whenever that page is visited by a new visitor, the code is executed. That is, whatever data the code has to steal, it takes that data.


For example, Facebook has a website where we comment on various posts. Now suppose the attacker injects a script into the comment section. Since the comments are stored in the database of the Facebook website, when a person views the comment section, the attacker's code is executed in his browser. and, cookies, Besides stealing logs, activity, it leads users to malicious websites.


2) Reflected XSS


A script that displays search results or error messages to the web server. It is not stored on the server like the stored XSS above. It is called reflected XSS because it is visible on the webpage.


The attacker places a malicious link containing a script where the user clicks on it. The script is specially placed in the search bar. Then an error-like popup appears in the search bar. And, the malicious script is executed and does its job of stealing data.


For example, you visited an e-commerce site. Now search for a product in the search bar. However, a link with an error message if an attacker has injected malicious code into it

(http://example.com/search?q=<script>alert('Hacked!')</script>) shows.


In this case, if you click on the link, the code will be executed and a popup alert will appear saying that it has been hacked. Then, with the help of that code, the attacker steals your sensitive information.


3) DOM Based XSS


Such an attack, which is executed from the client side. It does not require a request with the server. For example, there is a website, which uses JavaScript to read the parameters of the URL.


And, accordingly, the content of the webpage is updated. If there is a problem with JavaScript not sanitizing the input, the attacker creates a URL like this: http://example.com/#<script>alert('Hacked!')</script>. If the website trusts the attacker's input and updates the DOM without validating, the code is executed in the user's browser and the attacker steals the data.


How to avoid?


Looking at XSS, one might think that it is a technical flaw that is only a concern of developers. However, it affects all of us. When we log in to a website, send a message or comment, we trust that the platform is secure.


However, if a hacker discovers the weakness of that website and injects harmful code into it, then our data is also stolen. Therefore, website operators should take such matters seriously. The user should not login to the same website.

Comments

Post a Comment

If you have any doubts. Please let me know.

Popular posts from this blog

Artificial intelligence (AI) - the ability of a digital computer.

Image
Artificial intelligence Artificial intelligence (AI), the ability of a digital computer or computer-controlled robot to perform tasks typically related to an intelligent person. The term is often applied to projects of developing systems. The characteristics of intellectual processes are human characteristics, such as the ability to reason, invent, generalize, or learn from past experience. Since the development of the digital computer, it has been demonstrated that computers can be programmed to perform very complex tasks - for example, finding evidence for mathematical theorems or playing chess - with extreme efficiency. Yet, despite the steady advancement of computer processing speed and memory capacity, there are still no programs that match human flexibility in the tasks required for broad domains or more daily knowledge. On the other hand, some programs have achieved performance levels of human specialists and professionals to perform specific tasks, so that in this limited sense...
Read more

What is SEO and how to do search engine optimization?

Image
What is SEO and how to do search engine optimization? What is SEO and why is it important for a blog? The simple answer is SEO is the life of blogging. Because if you want to write any good article, if your article is not ranked properly, then the chances of getting traffic in it are negligible. In such a situation, all the hard work of the writers goes into the water.
Read more

Facebook's name has been changed to 'rebranding'

Image
Facebook's name has been changed to 'rebranding' Facebook, which has been tarnished by misinformation and frequent user data leaks, has changed its corporate name. On Thursday, 17 years after its inception, Facebook announced its decision to change its corporate name to 'Meta'.
Read more

Labels

AI Tech the to Technology is how in Google Artificial Intelligence
of Social media and a Facebook What are on phone This you mobile IT your Android Do internet Nepal smartphone for use workforce app can media with from social be iPhone robot will Machine Learning new not why Python does that these Apple YouTube account company computer data like password feature twitter ChatGPT Instagram Whatsapp by digital or Tiktok machine an information China Future Know Now US find free has make online out people search videos work If battery video way website without India Intelligence Laptop ML One apps corona features photos public user users year Avoid Elon Musk Here Microsoft billion cyber market may million money protect service which Have Windows about chrome education history home need network phones photo system update want Bitcoin Content Did Machine Learning Future Nepali Operators Scientists Things Wi-Fi artificial browser code don't down download hacker hacking many safe security smart take tips when world 10 Amazon Artificial Intelligence Future Buy Cryptocurrency GPS Gmail Learning SEE TV Who after being human life malware mind netflix software study there two used 15 7 Beginners Deep Learning Keep NASA Privacy also at business camera career change chat cloud digital marketing easy going hacked its jobs look marketing millions number sent settings store such their version virus where work force 5 Agriculture Bug Deep Earth Google Maps Kaggle Messages More RAM Risk So Some Than Top Types Ways Windows 11 World Cup Xiaomi address all as attack available been brain buying dangerous difference drive earn email first government hackers hidden image including job language message meta mode monetization most news old open passwords pay play price really saying search engine smartphones storage story using watch while windows 10 working 14 17 2020 2022 4 6 Cambridge Dark Web Development Even Everyone GB GPT Gemini Global Health-care Here's Lite Maps OpenAI Oppo Pakistan PayPal Print Pro QR Reasons SEO SMS Samsung Telegram TensorFlow Thinking Tutorial Type Vision WiFi Word Zoom accounts advertising any bank become best better biggest blue charging chip comments companies computers countries country created cyber attacks doing electricity engine eyes fake files football function game games get go hours humans install launch launched location lost medical misused monitor moon name once percent post posts private problem problems processing program quantum quickly robots safety scan science secure send share should signal space stay target them they thousands time topics tricks up useful viral voice war was water we web wireless workers 000 2024 5G AI Education Alan Musk America Analytica Applications Army Assistant Banned Based Because Before Blockchain Bounty CCTV COVID-19 Chat GPT Choose Clean Close Clubhouse Computer Vision Crypto DL DNS Deepfake Developer Docs EV Electric Explain Factory Finally Google chrome Google drive Healthcare Help I IBM Includes Japan Keras Kernels Large Lifestyle Looking MDMS Mac Models Music Musk Must Natural Ncell Nepal's Net Notebooks Operating PC Police Preparing Prime Revolution Russia SIM Save Scikit-Learn Skills SpaceX Stephen Hawking Sun Tesla Theme Therefore Unnecessary VPN Variables Visas WorldLink ability ads age airplane along attention authentication aware background bandwidth becoming beneficial between blocked break bring browsing bully cable call cameras cannot captions capture care cause charge charger chatbots check come coming complete consumption control copyright corona-virus could courses create crimes currency cyber security dataset datasets day days delete deleted deleting details developed device different dislike doctor documents domain due during dynamic each easier easily emails employee employees energy engineer engineering ethics exactly excessive expected extend factor facts forever forget found fraud full gadgets getting given glasses good got guest hand handle heater his iOS iOS 26 iPhone 14 iPhones impact important incognito increase industry insecure invest keyboard known law learn list listen live main manager map meaning meanings megapixel memory messenger model month months movies much nonsense nuclear off only opening original other our over own phishing physics porn prevent product production programming protection ready real-world reduce rejected released remove report reward robotics room run same saving say says scandal screen searched secret selfie show site sold someone source speaking special speed spyware stuck students subscription systems techology television tick today torrent traffic trick trillion universe upload various verification weakest women worldwide years young "Nano Banana" $100 & 'Buy the Dip' 'HDR' 'Hey Google' 'Hey Siri' 'I' 'Mr. Beast' 'Professional Mode' 'football intelligence' 'hidden' 'refill station' (IoT) (LLM) (NLP) 1 100 10:10 10th 11 12 145 16 19 2 200 2007 25 30 35 3D 40 4000 48 4K 5 P's 60 7 C's 8 80% @everyone on A17 AI Tool AI ethics AI-Based AI-powered API AR Adjust Adobe Adopt Adsense Adsense Supports Africa Alexa Ali Baba Altman Amazon Jungle Amazon Prime Ambani American Anaconda Android 11 Android TV Android phone Annoyed Apply Appoints Arithmetic Art Art through NFTs Artficial Intelligence Artificial neural Artuficial Intellegence Ashika Tamang Assignment Astronauts Astronomy Atrificial Inteligence Attacks Audiobooks Augmented Reality Australia Auto-GPT AutoML Avatar 2 Bachelors Banning Bard AI BeiDou Bernie Sanders Beyond Big data BigQuery Bill Gates Bitwise Blind Blockchain Developer Blockchain Technology Books Brave Brave Browser Brazil Browser's Bumble C charger CEO CPU CPU temperature CTEVT CV Cases Casting Changed ChatGBT Chery China's Chinese Citroën C5 Cloud Factory Cloud Factory Nepal Club House Colab Command Comparison Compute Concatenate Concerns Contactless Contactless payment system Copa America Copilot Couple Challenge Crash test Create your first Project on Python Crossover Cup Cybersecurity DRS Gaming Dark mode Datalab Dating Deep Fake Deep Learinig Deep Learning with Python Deep Neural Networks Defender Demat Department Dept Development in predictive analytics Didn't Digital avatars Disable Discontinuing Discovers Do not Dodge Dogecoin Drones DuckDuckGo E-task EA ETF EU EVs Earbuds Earth 2 Earthquake Economic Edge Computing El Salvador Elected Electric Vehicles Electrical Eliminate Elon Embassy Embedded Application Embedded Application (EA) Emoji Epstein Epstein’s Estimators Ethical Hacking Euro NCAP European Evolve Explained Explosion Express WiFi FPS Facebook Messenger Facebook's Facets Fears Federal Reserve System Finance Finding Firefox FiveG Fixed wireless Follow Forge Fraud Call Freefire Freelancing GIF Gadget Gboard Git Glass Gold Google Chat Google Cloud Google Meet Google Play Music Google Plus Google Plus code Google Workspace Google search Google's Green room Greenroom. Spotify Guest Mode HDMI Habitable Happy Birthday Health sector Heights Holi Honest Honeygain Huawei Hyundai I'll I'm ID IMD IP ISP Identify Implementing Increasing Indonesia Inflation InfoSec Input Inspiration Installation Instead Integrated circuit Intel Intelligent Internet of Things (IoT) Introduction Iran Iranian Iranians communicating Island Isn't JBL JPG JPMorgan Chase & Co Jack Ma James January JavaScript Jeffrey Jio Joker Virus Jungle Jupyter Jupyter Notebooks Keys Korean LAN LLM LP Large Language Models Launch of better autonomous systems Lee Kun-hee Library Liking Line Linux Liquid Logical Lucky MDMS Nepal ML Engine MSN MaAfee Mark Zuckerberg Max Meet Membership Mero Share Metaverse Microsoft Office Microsoft Teams Military Military weapons Minister Missiles Mobile Operating System Module Moltbook Mouse Mukesh Ambani NASA's NEA NFT NFTs Natural language processing (NLP) Navigation Nepal. radio mapping Nepali businesses Nepali game Nepali youth Nepalis NetTV Neural Network Neural Networks New Technology No Nokia North Korea Note Nvidia Object Detection Open-source Opera PDF PNG PPT PUBG Pandas Pandora Paytm Pendrive Photoshoot Pi Network Pip Plan Planets Play Store Pokémon Pokémon Go Precision Premium Preparations Prerequisite Pro's Process Process discovery Pycharm Pyenv Python Programming Python Tutorial Python Tutorials Python for Beginners Python on Windows Quick Draw RCS Race Radically Ransomware Rashtra Bank Reboot Recommender Recommender Systems Redmi Reinforcement Reinforcement learning Reliable Reliance Reliance Jio Remittances Remotely Remove. bg Replacing Reverse Rice that grows for years once planted Rises Robot Sophia Roles Ronaldo Routine of Nepal Banda S&P 500 S&P Global Ratings SD Scale Scaling Scikit Screen Pinning Selection Sensors Seven Shorts Singapore Sitting SixG Snapchat Sophia South Korea Space X Spam Stable Coin Starlink Steve Jobs Stock market String Success Sundar Pichai Supermarket Supervised Supervised Learning Supervised Machine Learning Supply Chain Attack Supports Swift TIFF Teenagers Telecom Telescope TensorBoard TensorFLow Hub Thes Tiktok stop Time Travel Tool Training Data Transforming Translation Trojan Truecaller Trump Trusting Try Type-C Typing UAE US Congress USA USB Understand United States Unsupervised Unsupervised Learning Unsupervised LearningUnsupervised Machine Learning Unsupervised Machine Learning Upcoming Upcoming Technology Urges Using a drone VPNs VR Vehicles Virtual reality Virtualenv Visualize WWW Wait Walkthrough Walmart WeChat Webb Wha What are Assignment Operators in Python What are Comparison Operators in Python What are Logical Operators in Python What are Operators in Python What are the basic laws of quantum physics What is What is Chat GPT What is Google Adsense What is Pycharm What is Python What is String in Python What is Variable in Python Whose Wi-Fi 6 Wikipedia WordPress Wrangling data Write X X8 series XAI XOR XSS YouTuber Ziglar Zipty Zuckerberg action admin advantage advertisers again against agency agricultural ai beauty aims air aircraft aired alert algorithm almost alpha alternative among analytics ancient and security angles announcement announces another answer answering antivirus anyone anything appear appearance appliances application approach approaching approaching science meaning apps. google arise arrived article artificial blood vessels arts associated attract attractions audience authentic automatic automatically autonomous avatars baby back backed bad ban bans bar basic batteries beginner benefit benefits beta bitcoin mine bitcoins black blackout block boarding bogged book bought box boycott brand brings broadband brought bug bounty build but buttons bypass cable internet cables calculus calls campaign can't cancel cancer car cards careeer careful carry case cave center challenge channel chat.com chats cheap cheaper checkmarks chess child children choose. a class click clicking climbers clock closest club coding colleges color combat common communicate compensates compete competing completely computer mouse computer science concept connect cons consider consumes contains controls controversies credit crime crisis criteria crore crores crowdsourcing culture cure cyberattack cyberspace cycle d about damaged danger dark data center data science dating apps deal debit dedicated delete data deny deport depression destination devices diary die digit digital banking digital cameras digital land digital privacy disappeared disappearing discovered discovery displaced display displays disrupt disturbing document dog dollars doodle door downloads drains dream drone drug trafficking e features e-Rupee e-books e-passport e-sewa eBooks ePassport earn money from Nepal eating economy edit editing effective electronic eligible else email server emerged emergency emojis end enough entering entire espionage etflix except excuse existence expire extracts eye face app facial verification failed false family far farm fax fdown.net fee feet fiber fight file film final five flying foldable food fooled footprint forced foreigners forensics forgotten form formats forwarding foundation free upgrade frequency freshman from search fruit fuel game tips gamer gas gasoline geometry gestures gets gives goes good content goodbye goods google docs gossip granted great groups growing hack had hall handy happen happy harmful he head headphones headset health hear higher hobby human brain human intelligence human trafficking hundreds hurting hydrogen hype iCloud iPhone 12 Pro illegal data illicit trade illnesses image processing processor images impair improvements inbox incidents income increased incur instant instrument interest interesting interests internal storage internet speed into intranet introduced invented invention investigating investment invites it's it’s jack join journalists journey kit laboratory lakh languages laptops last later latest launches launching lawmakers laws leak leaks legalize let letter letters light likes link links lives loaded locked longest lose loss love machine vision made main features maintain major maker makes making man manage management system mango marketplace martial mask matches matter measures measuring meetings melting meme mental messaging microphone middle million. downloads mine misleading mistake mistakes mobile number moble moment monetize monitors monkey mother mountain move movie moving mute my myths name-x naming near necessary negative networks neural neural networking new code new look new windows news anchor next night mode non notes notifications now.gg nuclear energy obscene official officially offline often open source opened operate operated operating system opposed optic optical fiber optimization option options others outbreak overheating oversold overuse owner page paid pandemic paper participant participate passkeys passports password. patent pattern paying payment peace pen drive permanent permission person personal perspective phone confidential picture pictures pirated placed placing planting platform platforms playing policy political pop-up popular popularity port possible powered practice predictive pregnant prepared principles prize processor product key programmatically programming languages project prompt property pros protected provided proxies proxy quantum computer quantum internet question questions quires quota r daily radio rain rainy season raises rate reach reading real realities reason rebranding record recovery reform refresh refreshes refrigerator regarding registered registration regulators relationship remain removes removing repairing replace reports requiring reset residence resignation resolution responsibilities restaurants returned revenue review rings risks risky road robotic dog rocket rooms round ruin rules running runs safely sale satellite scammers scary schedule scheme schools screens search engines secretly selectric cars sell semi-final semiconductor sending series server services set setting shared sharing shield ships shocked shortage shoulders shuffled shut shuts shutting side sidebar simple since sites sky sleeping slightly slow slowing smartblock smarter smartly social engineering hacking software. tech solutions solve somewhere soon sound sources space center space debris spacecraft spaceships specifications spectrum spend spending sponsors sports spying star starship start started starting starvation steps stocks stolen stop stories strategy streaming strong student studying subject subscribers successful suggested suggestions suitable suitcase superintelligence surface surprised survive t are tag tagging taken talent talk teach team technlogy technoloy technonlogy telecommunication terminology terms test text think those thousand thread threat to threats through throwaway tightens timer tinder tired toilet too took tools topic tossing touch pad tracked tracking trackpad trading transact transactions transport travel trending trends trip true turn turned turns tweets unbuyable unemployed unemployment unpleasant unregistered unsafe unseen unveils upgrades uses versatility very view viewing virtual virtual currency virtual world vishing visit visiting voter vulnerabilities warning washing waterproof weakening weapon weapons web design websites week well went were wet what's willing withdrawn woman won't words works workspace world war worrie worried worth writer written wrong ‘Hosts’ ‘JeffTube’ ‘Wi-Fi Pineapple’ ‘viral’
Show more