Cross site scripting on goodmart.ind.in.

jadavvineet73 101 views 12 slides Aug 10, 2024
Slide 1
Slide 1 of 12
Slide 1
1
Slide 2
2
Slide 3
3
Slide 4
4
Slide 5
5
Slide 6
6
Slide 7
7
Slide 8
8
Slide 9
9
Slide 10
10
Slide 11
11
Slide 12
12

About This Presentation

This project focuses on identifying a critical Cross-Site Scripting (XSS) vulnerability present on the e-commerce platform, Goodmart.ind.in. XSS vulnerabilities allow attackers to inject malicious scripts into web pages viewed by other users, potentially leading to data theft, session hijacking, and...

Size: 448.43 KB
Language: en
Added: Aug 10, 2024
Slides: 12 pages

Slide Content

Cross site scripting on goodmart.ind.in Shahbaz Hussain – CNP-MAR2024-CSEH-1

Cross Site Scripting Cross-site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it. If the app or website lacks proper data sanitization, the malicious link executes the attacker’s chosen code on the user’s system. As a result, the attacker can steal the user’s active session cookie.

XSS vulnerability : Case study on Goodmart.ind website Site name: https://goodmart.ind.in/ Category : E-commerce Type : E-commerce website for Good mart Content : Information about different services provided by the good mart

Data Collection https://goodmart.ind.in/ website have currently using different following technologies CMS Adobe Experience Manger Analytics Adobe Analytics Programming Language Java Script HTML PHP

Impact Analysis Cross Site Scripting (XSS) is a vulnerability in a web application that allows a third party to execute a script in the user’s browser on behalf of the web application. Identify the Injection Point: Navigate the website and find a place where user input is reflected back into the HTML without proper sanitization. Inject Malicious Script: Craft a payload that includes the malicious script. This script will be executed when HTML is rendered. Test and Confirm: Ensure that the injected script executes correctly and achieves the intended malicious outcome.

Steps to Reproduce Go to the https://goodmart.ind.in/index.php First check that input is reflected into HTML code. In search bar enter any word and press search button then check the source code. After checking source code enter the malicious script into the input field. Hence, to exploit the I have used the payload : <script>alert(1)</script> By clicking the search button the alert pop up will occur.

Impact Data Theft Account Hijacking Client-Side Attacks Defacement of website

Proof of Concept During the testing of GoodMart website, cross site scripting vulnerability was found. The vulnerability allows as attacker to inject the malicious java script code into the input field, which could be executed in the context of user’s browser, potentially leading to session hijacking, sensitive data theft and other malicious actions. Vulnerability Details : Vulnerable URL : https://goodmart.ind.in/index.php Vulnerability Type : Cross Site Scripting (XSS) Affected Component : Search Input field Impact : HIGH

Mitigation Never trust user input: Always perform input validation and sanitization on input originating from untrusted sources as soon as you receive it Implement output encoding :  Output encoding escapes user input and ensures that the browser interprets it as benign data and not as code. HTML Sanitization : HTML Sanitization will strip dangerous HTML from a variable and return a safe string of HTML. Ensure that web application development aligns with  OWASP’s XSS Prevention Cheat Sheet : Cookie Attributes Content Security Policy  Web Application Firewalls Perform penetration testing to confirm re mediation was successful

REFRENCES https://portswigger.net/web-security/cross-site-scripting https://owasp.org/Top10/A03_2021-Injection/ https://labs.hackxpert.com/RXSS/ https://www.acunetix.com/websitesecurity/cross-site-scripting/

Thank You!
Tags
ethical hacking cybersecurity cyber security project cyber protection cyberwarfare cyber defenses cyber attacks
Categories
Technology Business Marketing
Download
Download Slideshow Get the original presentation file
Quick Actions
Statistics
  • Views 101
  • Slides 12
  • Age 478 days
Related Slideshows
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx 11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
44 views
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx 10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
45 views
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx 13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx 11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
Know for Certain 21
Know for Certain
DaveSinNM
19 views
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx 17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
23 views
View More in This Category