Learn Cyber Security

Securing WAF and Conclusion DOM Based XSS DOM based XSS is another type of XSS that is also used widely, and we didn’t discuss it in module 3. The DOM, or Document Object Model, is the structural format used to represent documents in a browser. The DOM enables dynamic scripts such as JavaScript to reference components of the document such as a form field or a session cookie, and it is also a security feature that limits scripts on different domains from obtaining cookies for other domains. Now, the XSS attacks based on this is when the payload that we inject is executed as a result of modifying the DOM environment in the victim’s browser, so that the code runs in an unexpected way. By this we mean that in contrast with the other two attacks, here the page that the victim sees does not change, but the injected code is executed differently because of the modifications that have been done in the DOM environment, that we said earlier. In the other XSS attacks, we saw the injected code was ...

WAF Bypassing with XSS and RFI Until now, we examined some serious ways of bypassing WAF, including encoding schemes, SQL Injection and others. In this module, let’s examine another critical attack method that an attacker can use in various ways to bypass WAFs. This attack is XSS. Cross Site Scripting – XSS Cross Site Scripting (or simply XSS) is an injection type attack where the attacker injects malicious scripts into trusted websites. The vulnerability occurs when we use a web application to send maliciously crafted code in the form of a browser side script, most of the time in HTML, to a different user of the application. These kinds of attacks take place in many places of a web application, most of the time in the parts that the user can supply content to it and the web application generates it within the output, without validating or encoding it.  As we said, the attacker can send malicious code to another user. The browser of the user that will receive this code has no way t...