What is non-persistent XSS?

Non-persistent (reflected) XSS is a type of cross-site scripting where the malicious content has to be a part of the request that is sent to the web server. It is then reflected back in such a way that the HTTP response includes the payload from the HTTP request. Attackers use malicious links, phishing emails, and other social engineering techniques to lure the victim into making a request to the server. Read more about types of cross-site scripting attacks .

Why is XSS dangerous?

If an attacker can abuse an XSS vulnerability on a web page, they can attack the user of that web page and, for example, steal sensitive data such as the user’s session information letting them impersonate that user. Cross-site scripting may also be used to deface a website instead of targeting the user. The attacker can use injected scripts to change the content of the website or even redirect the browser to another web page, for example, one that contains malicious code. See the effects of a persistent XSS attack on YouTube .

How to protect your website from XSS?

The best way to protect your website from XSS attacks is to eliminate XSS vulnerabilities. To know if you have such vulnerabilities, you need to test your website using a web vulnerability scanner like Acunetix. Acunetix is able to find all types of XSS vulnerabilities, even the rare ones and the ones that are difficult to detect. See what Acunetix Premium can do for you .

Articles Archives | Page 13 of 68

Q: What is persistent XSS?

A persistent cross-site scripting (stored XSS) attack is possible when a website or web application stores user input and later serves it to other users. Attackers use vulnerable web pages to inject malicious code and have it stored on the web server for later use. The payload is automatically served to users who browse web pages and executed in their context. Read more about cross-site scripting in general .

What Is Persistent XSS

Articles | May 13, 2019 by Tomasz Andrzej Nidecki

Persistent Cross-site Scripting (Stored XSS) attacks represent one of three major types of Cross-site Scripting. The other two types of attacks of this kind are Non-Persistent XSS (Reflected XSS) and DOM-based XSS. In general, XSS attacks are based on the victim’s trust in a legitimate…

Why is Source Code Disclosure Dangerous?

Articles | May 9, 2019 by Juxhin Dyrmishi Brigjaj

Source code often contains some form of sensitive information. It may be configuration-related information (e.g. database credentials) or simply information about how the web application works. If source code files are disclosed, an attacker may potentially use such information to discover logical flaws. This may…

What Is HSTS Used for? – problems, errors, fixes

Articles | May 8, 2019 by Tomasz Andrzej Nidecki

HSTS stands for HTTP Strict Transport Security. It is a method used by websites to declare that they should only be accessed using a secure connection (HTTPS). If a website declares an HSTS policy, the browser must refuse all HTTP connections and prevent users from…

XML External Entity Vulnerability in Internet Explorer

Articles | May 7, 2019 by Tomasz Andrzej Nidecki

When exploiting a typical XML External Entity (XXE) vulnerability, the attacker attempts to gain access to the content of files on a Web server. However, XXE vulnerabilities may also allow the attacker to steal private data from the user. Such a case was recently discovered…

Bypassing SOP using the browser cache

Articles | April 30, 2019 by Aleksei Tiurin

Misconfigured caching can lead to various vulnerabilities. For example, attackers may use badly-configured intermediate servers (reverse proxies, load balancers, or cache proxies) to gain access to sensitive data. Another way to exploit caching is through Web Cache Poisoning attacks. The browser cache may look like…

Session Token in URL Vulnerability

Articles | April 25, 2019 by Bernhard Abele

The HTTP protocol and web servers are stateless by nature. This means that there is no way for them to track user activity. The web server treats every request as a new one. For this reason, browsers and web servers need to use session tokens….

Common Injection Attack Types, Examples, Prevention

Articles | April 18, 2019 by Ian Muscat

Injection Attacks Injection attacks refer to a broad class of attack vectors. In an injection attack, an attacker supplies untrusted input to a program. This input gets processed by an interpreter as part of a command or query. In turn, this alters the execution of…

What is Code Injection (Remote Code Execution)

Articles | April 15, 2019 by Ian Muscat

Code Injection or Remote Code Execution (RCE) enables the attacker to execute malicious code as a result of an injection attack. Code Injection attacks are different than Command Injection attacks. Attacker capabilities depend on the limits of the server-side interpreter (for example, PHP, Python, and…

Remote Code Execution in bootstrap-sass Ruby Package

Articles | April 11, 2019 by Tomasz Andrzej Nidecki

If you are using Ruby to develop applications, run the latest update of Acunetix to make sure that you are safe. A very popular Rails gem bootstrap-sass was recently compromised. A malicious version of the package (3.2.0.3) was available in the official RubyGems repository for several…

Articles

Take action and discover your vulnerabilities