Cross-Site Scripting

In this course, we will discuss Stored (sometimes called persistent), Reflected, and DOM-Based XSS attacks. This is a skill-based course, so we will include a hands-on lab. This course will begin with lecture material on what cross-site scripting is, how the different attacks work, and ways to protect against them. Students will also complete an assessment at the conclusion of the course. Instructions for the assessment will be found in the conclusion module.

This training is an introductory course in Cross-Site Scripting (XSS), a widespread cyberattack type. Students in this training will learn what XSS is, the different types of attacks and how they work, and methods that work to protect against them.

What Does Cross-Site Scripting Mean?

Cross-site scripting is a client-side code injection cyberattack. The hacker’s goal in cross-site scripting is to execute malicious scripts in the victim’s web browser by including malicious code in a legitimate web page or web application. The attack happens when the victim visits the application or web page that executes the malicious code. In other words, the web application or page is the means to deliver the malicious script to the victim’s browser. It’s common for this type of attack to use message boards, forums, and web pages that allow users to make comments.

What is the Impact of Cross-site Scripting Vulnerabilities?

Cross-site scripting attacks and attackers can cause significant damage to victims, whether they are individuals or organizations. Attackers use three different types of XSS attacks: * Stored XSS – This type of attack, also known as Persistent or Type 1, occurs when user input (such as in a message forum, database, comment field, etc.) is stored in a target server. Then a victim is able to retrieve that stored data from the application without the data being made safe to use in the browser. * Reflected XSS – This type of attack, also known as Non-Persistent or Type II, happens with user input is instantly returned by an application in a search result, an error message, or other response that includes all or some of the input that the user provides as part of the request. The data is returned without being made safe to use in the browser. * DOM based XSS – This type of attack occurs when the whole tainted data flow from source to sink takes place in the browser. In other words, the source of the data and the sink are both in the DOM, and the data flow doesn’t ever leave the browser.

There are various ways that the above types of attacks can impact the victim, from stealing and using personal data or funds, to changing how a website looks in an offensive manner.

One of the most common XSS attacks is account hijacking. This happens when hackers hijack legitimate user accounts by stealing session cookies. This allows hackers to assume the victim’s identity and access sensitive data or functionality as the victim.

Another practical XSS attack occurs when the attacker uses JavaScript or HTML to steal user credentials, rather than their cookies. Yet another powerful and impactful type of XSS attack is using cross-site scripting to exfiltrate sensitive data (such as personal identifiable data or cardholder information) to perform unauthorized operations, like stealing funds.

There are other types of attacks in which attackers use XSS as well. These include keyloggers, in which the attacker gains access to the user’s keystrokes on a vulnerable page; port scans, in which port scans are initiated against the internal network of a client that accesses a vulnerable website; and website defacement, in which hackers actually change the appearance of website.

What is Involved in this XSS Training Course?

In this XSS training, students will learn about what XSS is, how these types of attacks happen and the impact they cause, and ways to mitigate this popular type of attack. The course is an introduction, so the basics will be covered and there will be a hands-on lab included. Three different types of cross-site scripting will be discussed: stored XSS, reflected XSS, and DOM based XSS.

Students will also complete an assessment at the conclusion of the course. The total clock hours for the course is 40 minutes. Students will earn 1 CEU/CPE and a Certificate of Completion when they finish the course.

Who Should Take the Cross-Site Scripting Course?

The XSS training course is designed for: * Ethical hackers * Penetration testers * Cybersecurity professionals * Beginner and intermediate Internet users who are interested in privacy, security, and safety online.

There are no prerequisites for this course, however, it’s recommended that students have basic computer skills and Internet browsing knowledge.

If you would like to learn more about Cross-Site Scripting this XSS course is a good place to start. Enrolling in the course is easy, just click on the Register button in the top right corner of this screen to begin.