1. Malicious script execution
  2. Redirecting to a malicious server
  3. Exploiting user privileges
  4. Ads in hidden IFRAMES and pop-ups
  5. Data manipulation
  6. Session hijacking
  7. Brute force password cracking
  8. Data theft
  9. Intranet probing
  10. Keylogging and remote monitoring
  • Cross-site Scripting(‘XSS’ or ‘CSS’) attacks exploit vulnerabilities in dynamically generated web pages, which enables malicious attackers to inject client-side script into web pages viewed by other users
  • It occurs when invalidated input data is included in dynamic content that is sent to a user’s web browser for rendering
  • Attackers inject malicious JavaScript, VBScript, ActiveX, HTML, or Flash for execution on a victim’s system by hiding it within legitimate requests

This example uses a vulnerable page which handles requests for nonexistent pages, a classic 404 error page

<html>
<body>
<%
response.sendRedirect("welcome.jsp?Email=" + txt_Signin.Text);
%>
</body>
</html>

// XSS Attack Code
http://example.com/alert("WARING:The application has encountered an error");