Exploiting Blind XSS

XSS (Cross-Site Scripting):

XSS is an attack that exploits Insufficient Input Output Handling flaws within web applications where attacker tries to inject malicious scripts or code into input fields of trusted websites, which was later processed or reflected without any sanitization by the Web application.

Explanation from above image, how attacker execute XSS:

1) Attacker searches for application where XSS injection vulnerability is possible.

2) Attacker then injects his XSS payload which can steal cookie into the application

3) By using these ways attacker exploits the XSS vulnerability and grabs the cookie of the legit user.

How XSS payloads are processed

When we pass any payload to web application it works as shown below

As our web application is not sanitizing and validating inputs, saved payload in the database or being reflect on the webpage.

Types: There are three types of XSS:-

· Stored/Persistent XSS: When an application stores the inputs from any input field,