Cross-site Scripting is an attack where the attacker will enable to insert client-side script into the application to gain access control and data of the application. An example of common Cross-Site Scripting that I do believe everyone is well-aware of it can be seen as below

<script>alert(“XSS Vulnerabilities”)</script>


An example of Cross-Site Scripting code can be seen as below


An example of Cross-Site Scripting Attack


For those are no knowledge on Cross-Site Scripting, there are around 4 types of Cross-Site Scripting

  • Non-persistent( Reflected)
  • Persistent( On Stored)
  • Server-side vs DOM-based vulnerabilities
  • Self-XSS
  • Mutated XSS ( mXSS)

Below is another way for the Cross-Site Scripting attack:

  • Basic payload (<script>alert(“XSS Vulnerabilities”)</script>)
  • Img Payload(<img src=x onerror=alert(‘XSS Vulnerabilities’);>)
  • Svg Payload( <svgonload=alert(1)>)
  • Div Payload(<div onpointerover=”alert(45)”>XSS Vulnerabilities</div>)
Testing

Recommendation


To secure the website from XSS Vulnerability, the admin needs to modify the code so that the attacker will not use the code. The coding that secures the website from XSS Vulnerability that needed to be modified is such as

echo ‘Output’ .htmlspecialchars($_GET[‘name’]);