🚀 Cyber Security New Batch Start from 1 JunEnroll Now
Cyber Defence
CYBERDEFENCE
Ethical Hacking

XSS Attack Tutorial: Cross Site Scripting Complete Guide with DVWA

XSS attack tutorial in Hindi — understanding XSS types (stored, reflected, DOM-based), practical DVWA lab walkthrough, cookie stealing attack, Burp Suite testing, and XSS prevention methods.

Amit Kumar
Amit KumarEthical Hacker & Founder
6 min read
XSS Attack Tutorial: Cross Site Scripting Complete Guide with DVWA Cross-Site Scripting (XSS) web application vulnerabilities mein se ek most common aur dangerous attack vector hai. OWASP Top 10 mein consistently present hai. Yeh XSS attack tutorial aapko XSS ki complete understanding dega — types se lekar practical exploitation aur prevention tak. ## XSS Kya Hai Cross-Site Scripting attacker ko malicious scripts ko legitimate websites mein inject karne ki permission deta hai. Yeh vulnerability web applications mein input validation ki kami se hoti hai. XSS attack India mein common web vulnerability hai jahan online portals, e-commerce sites, aur social media platforms target hote hain. ## XSS Attack Types ### Stored XSS (Persistent XSS) Sabse dangerous type hai jahan malicious script server par permanently store hota hai. Kaise kaam karta hai: Attacker malicious script inject karta hai — comment field, user profile, ya forum post mein. Script database mein save hota hai. Jab koi user affected page view karta hai, script automatically execute hota hai. Har visit par script fire hota hai. Common targets: Comment sections, user profile fields, message boards, product reviews. Example payload: ### Reflected XSS (Non-Persistent) Script URL parameter mein present hota hai aur server response mein reflect hota hai. Kaise kaam karta hai: Attacker malicious URL create karta hai with script in parameter. Victim ko email, message, ya link ke through bheja jaata hai. Victim link click karta hai. Server script ko reflect karta hai response mein. Browser script execute karta hai. Example URL: http://target.com/search?q= ### DOM-Based XSS Client-side JavaScript mein vulnerability hoti hai — server ka involvement nahi hota. Kaise kaam karta hai: Application JavaScript DOM (Document Object Model) ko manipulate karta hai. URL hash ya fragment mein script present hota hai. JavaScript improperly process karta hai input ko. Browser script execute karta hai. Example: http://target.com/page.html# ## XSS Attack Consequences ### Session Hijacking Cookies steal karke attacker session hijack kar sakta hai. ### Credential Theft Fake login forms inject karke usernames aur passwords capture kiye ja sakte hain. ### Malware Distribution Drive-by downloads trigger kiye ja sakte hain. ### Defacement Website ka content modify kiya ja sakta hai. ### Keylogging User keystrokes capture kiye ja sakte hain. ## DVWA Lab Setup for XSS ### Setup Steps Apache aur MySQL start karein: ```bash sudo service apache2 start sudo service mysql start ``` DVWA browser mein open karein: http://localhost/dvwa Login karein (default: admin / password). Security Level ko low set karein. ## Stored XSS Attack Walkthrough (DVWA) ### Finding the Vulnerable Page DVWA mein XSS (Stored) page kholein. ### Basic XSS Test Name field mein normal text daalein: Test User Message field mein: Hello World Submit karein — data save hoga aur display hoga. ### Confirming Vulnerability Message field mein test karein: Submit karte hi alert popup aana chahiye — yeh stored XSS vulnerability confirm karta hai. ### Cookie Stealing Attack Step 1: Attacker Server Setup Kali Linux par listener setup karein: ```bash mkdir -p /var/www/html/steal nano /var/www/html/steal/log.php ``` log.php content: ```php ``` Permissions set karein: ```bash chmod 644 /var/www/html/steal/log.php sudo service apache2 start ``` Attacker ka IP address note karein (ifconfig se). Step 2: Craft Malicious Payload DVWA stored XSS page par jaayein. Name mein: Attacker Message mein yeh payload daalein (IP address apne attacker IP se replace karein): ```html ``` Submit karein. Step 3: Victim Access Browser mein DVWA stored XSS page kholein (already injected script hai). Page load hote hi script execute hoga. Step 4: Cookie Capture ```bash cat /var/www/html/steal/cookies.txt ``` Session cookie mil jaayega. Step 5: Session Hijacking Browser Developer Tools mein cookie set karein: ```javascript document.cookie = "PHPSESSID=stolen_session_id" ``` Refresh karein — attacker ki session mein access mil jaayega. ## Reflected XSS Attack Walkthrough (DVWA) ### Finding the Vulnerable Page DVWA XSS (Reflected) page kholein. ### Testing for Reflected XSS URL parameter test karein: http://localhost/dvwa/vulnerabilities/xss_r/?name=test Name parameter mein payload test karein: http://localhost/dvwa/vulnerabilities/xss_r/?name= Alert popup confirm karta hai reflected XSS vulnerability. ### Bypassing Filters DVWA Security Level medium ya high par filters lagayega. Filter bypass techniques: Tag breaking: Case variation: Event handlers: ## DOM-Based XSS (DVWA) DVWA XSS (DOM) page par jaayein. Default dropdown value test karein: Page URL mein: http://localhost/dvwa/vulnerabilities/xss_d/?default=English Payload test karein: http://localhost/dvwa/vulnerabilities/xss_d/?default= ## XSS Prevention Methods ### Output Encoding (Server-Side) HTML entities encode karein: ```python import html unsafe = "" safe = html.escape(unsafe) # safe = "<script>alert('XSS')</script>" ``` ### Content Security Policy (CSP) HTTP header mein CSP add karein: Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-random123' CSP inline scripts block karta hai aur external script sources restrict karta hai. ### HTTPOnly and Secure Flags Cookies par HTTPOnly flag JavaScript se access prevent karta hai: Set-Cookie: sessionId=abc123; HttpOnly; Secure; SameSite=Strict ### Input Validation Whitelist approach use karein — sirf expected input allow karein. Special characters block karein ya sanitize karein. Length limits set karein. ### Sanitization Libraries OWASP ESAPI, DOMPurify (JavaScript), aur Bleach (Python) jaise libraries input sanitization ke liye use karein. ## Burp Suite se XSS Testing ### Using Proxy Proxy intercept enable karein. Request capture karein. Parameter mein XSS payloads inject karein. Response analyze karein. ### Using Intruder Reflected XSS parameters ko enumerate karein with XSS payloads list. Multiple payloads automatically test karein. Results analyze karein. ### Using Sequencer Session tokens randomness analyze karein weak token generation detect karne ke liye. ## XSS Attack Tutorial Summary XSS web security ka critical vulnerability hai. Is tutorial mein cover kiya: - XSS attack kya hai aur kyun critical hai - Three types — Stored, Reflected, aur DOM-based - Practical DVWA lab walkthrough - Cookie stealing attack step by step - Reflected aur DOM-based XSS exploitation - Prevention methods — encoding, CSP, HTTPOnly XSS prevention web developers ke liye essential skill hai. Input validation har user-facing field par apply karein. Output encoding har output point par karein. CSP headers implement karein. Regular security testing karein. Cyber Defence ka web application security testing course XSS aur bhi advanced web vulnerabilities ko hands-on labs ke saath cover karta hai. SQL injection tutorial aur Burp Suite tutorial bhi available hain jo complete web security skillset build karte hain. Regular practice DVWA aur PortSwigger Web Academy par karein.

Talk to a Cyber Defence Expert

Get a free consultation on cybersecurity, training and certifications. Our team responds within 10 minutes during business hours.

WhatsApp Us Now75175 72000