XSS vulnerabilities (Cross-Site Scripting vulnerabilities) are often overshadowed by their big cousin, the infamous SQL Injection. This does not make them any less effective or deadly. XSS and SQL Injection attacks are similar in the way they inject malicious code. The difference is that an SQL attack, injects code into the target database whereas an XSS attack injects code into the target browser. In an XSS attack the hacker uses your website to inject code into your visitor’s browser.
Once a user is infected, the malicious code can do a variety of things. It can change the color scheme of the page the user is viewing. It can do more nasty things such as replacing images with pornographic content. Using the same techniques, links on the page may be re-written to point to malicious locations. Sometimes clicks can also be forced, simulating user action without his knowledge. Another popular XSS attack reads out the user’s cookie and transmits it to the hacker. This allows him to impersonate the user and hijack his session. If the user happens to be the system administrator, the hacker can take over the entire website.
In this video tutorial I demonstrate what an XSS attack is to show you how a hacker can use XSS vulnerabilities to hack into your website. I start the video by explaining the mechanisms of cross site scripting, and I proceed to demonstrate a number of pranks you can play on unsuspecting users. I also demonstrate how cookies can be stolen to hijack sessions and I take a peek into the vulnerable code that allows such attacks. I hope that this video will both entertaining and educational, and that by learning about XSS you can keep your own website safer.