What are the two types of cross site attack

What are the two types of cross site attack?

You might be curious about two distinct types of cross-site, but first you need to know the definition of a cross site and what exactly it is, then realise its usages in different areas as well as its different types and their advantages and disadvantages. In addition you will be known the similarities and the differences between these two types.

What is cross-site scripting?

Cross site scripting is also known as XSS. Is it true that the abbreviation of cross site scripting is CSS but because it is stands for Cascading Style Sheets, XSS is being used by mean of a cross-site scripting. Cross site scripting is one of the attacking and infiltrating ways that hackers use to get access to different websites. In this type of cross site some chords being injected to websites to make an infection. The purpose of these kinds is more about the website users who have visited the site. While a user with an internet account opens a site, cookies get saved on the system and it contains passwords, usernames, or bank accounts information; if your system had had an infection of XSS your information will be gathered by hackers easily.

Two types of cross site scripting

Cross-eyed addicts are divided to two main parts and they are named as server XSS and client XSS. These two types also divided two other types and each has a specific way of these.

1.Server XSS

Server XSS type of XSS happens when an invalid user make success of getting access to a website databases by forcing website to answer HTTP request. Server XSS has two types itself and they are named as Stored server XSS and Reflected serves XSS.

In these two types destructive codes are presented by server and browser, get ran easily by websites and it means each script seems valid to browser.

Stored/ Persistent

In this one, a destructive script would have saved on a server with stability. Lisa screamed would have located at databases, forums, search fields or comments part. When the victim clicks or send requests to the destructive server, server replies with stored malicious information and then the destructive script would ran into victims browser. As a result the victim will be fallen prey for these. This type of this is known as one of the most dangerous attacks in web.

Reflected/ Non-persistent

Reflected XSS are designed onto a request that a user send and most probably this kind of attack is not using engineered techniques. Reflected XSS happen when injected scripts are reflected by web browser. This reflection would be occurred as error messages or search results or anything else. When a hacker got success of deceiving users to click on infected links it could be said that they got what they exactly wanted and information will be sent directly to the hacker or be referred to other infected sites.

2. Client XSS

Client XSS happens when a user tries to update DOM and with a Java call, scripts could get presented. Getting malicious code happen by server either browser DOM.

Document Object Modal (DOM)

As well as the two previous types, there is also another type of XSS which is a bit different and has identified by Klein Amit in 2005. This is unique type of attacks which abuses the security weakness in inputs that are generated by users. It actually does not send requests to inject destructive scripts to websites but is the result of incorrect control of the information which have been sent from users.

What is JavaScript and its use

JavaScript is a language to write a script or to write a professional program which allows you to make websites with more and better features. This programming language allows you to have web pages with dynamic content. In other side you would have more control on multimedia. These are some features that make JavaScript special and unique among other programming languages. JavaScript is so popular now and more than 90% of websites use it.

Why a hacker would prefer to use JavaScript codes?

At first it may seem the safe to inject JavaScript codes because most of websites use them and also JavaScript codes don't have access to operating system and users files. However it is steel could be a threat to you due to features:

1. JavaScript can access to order things of a webpage. Including users cookies which are being used to save toucans more. It means that by JavaScripts data a hacker could get the ability of fergery of identity.

2. JavaScripts have access to XMLHPRequest and by that it means they can send HTTP requests to any destination.

3. JavaScript also access to DOM of a browser.

4. In some browsers, JavaScript could accessing to API of HTML5. It means that they can find out users location, access their webcam or even special files of users system. But fortunately most of the Times accessing two mentioned information needs a direct permission by user.

As a result the hacker or inflator would have so many reasons and benefits by using JavaScript.

The results of XSS

In every kind of these; Stored, Reflected, based DOM, a user has been attacked and all have a same result which is obtaining users data. The difference is about the ways each uses to obtain those information and data.

One common mistake is that people think the unclick websites which are designed to just be red by users are safe and won't get attacked, but they are not. The worst type of these is data theft and disclosure of cookies that enable hacker to get control of your accounts and get access to all your information. To name some damages that XSS would have made, we could mention the installation of destructive apps such as Trojans and Backdoors.

Protection against XSS

Web Application Firewall (WAF) is one of the most popular ways of protection against cross-site. WAFs use different ways to deal with these. In case of XSS, WAF most used protection is to block destructive requests.

Web Application Firewall also uses filters of signing up to deal with attacks and prevent destructive requests from being sent. Frequent offenders would get recognised while using an IP frequently and would be banned and got unable of sending more requests.

How to determine if you are vulnerable

If you want to discover your vulnerability against XSS bugs, you can take advantages of different ways. One of these ways is using equipment which are designed to find all vulnerabilities that might damage your system. Some of these equipment are:

- Burp Suite

- Acunetix

- Netsparker

- Nessus

Of course the number of these equipment is more than this but we tried to mention the most popular and the ones which are getting used more by users.

Besides of these equipment we offer you to do manual evaluation as well. Because lots of these equipment are not able to discover all vulnerabilities and also me report false positive sometimes. Manual evaluation would seems challenging because you need to evaluate all inputs that may enable the attacker to get control on your system and try to make some changes and you have to check out all exit points and that may appear in answer of HTTP.

These are the input points that you need to processing them:

Parameters and also other databases that exist in Queries or URLs.

- URL files paths

- HTTP headers that are not able to get used

- Any rout app out of band that could deliver any infected link

First step of evaluating vulnerabilities that Stored XSS would have had access is to find the point between inputs and exists to understand any databases gateway and also exit way.

The main reasons of doing it are:

_ All submitted data are not going to exit from the same exit point and they may get copied during this path

_ Stored data by an app, may get copied because of users actions

Last word

Cross-sties would be a threat to all users, so you need to make sure that you are safe and be aware of vulnerabilities. Use the advice to protect yourself from the kind of these that are mentioned in this article.