markdown guide
 

Say you live in an apartment, and you have an air conditioner. This air conditioner has a remote control which you use to regulate the temperature. But there's a problem. Your next door neighbour Samantha, has the same air conditioner, with the same remote. Which means Samantha could easily control your room temperature with her own remote if she was close enough. But Samantha isn't the only one with the same remote control. Pretty soon you find out the entire neighbourhood has the same remote. Troublesome isn't it?

Let's assume your house is a website, and your air conditioner is the front end. XSS can be likened to a situation where Samantha or any of your 100 neighbours use their own remote controls to manipulate your air conditioner without your permission.

 

You are 5y old, in a future Halloween. The trick or treat tradition is still around, but the technology evolved.

A bad kid (X) lives in your neighborhood, he wants many candies, but he is lazy so he decided to steal them from the other kids. X has very rich parents, has future 3D printers and other cool Spy tech.

Non-persistent XSS
X comes to your house, mounts a camera and sensors at your window to find out what are you going to wear. X buys a costume same as you, he records your voice and then he pretends is you for the entire night. He is going to all the houses and take the candies pretending is you.

The non-persistent (or reflected) cross-site scripting vulnerability is by far the most basic type of web vulnerability.[13] These holes show up when the data provided by a web client, most commonly in HTTP query parameters (e.g. HTML form submission), is used immediately by server-side scripts to parse and display a page of results for and to that user, without properly sanitizing the request.

Mistakes:

  • you weren't careful and didn't saw the camera and sensors out side of your window
  • the houses that gave candies trusted a mask, and didn't ask you to say your name or other things only you could knew

Persistent XSS
X is getting lazy, he found a new way to steal even more candies. He mounts a series of sensors and cameras on one of the neighbors lawn. Any kid that goes there is recorded, their costume and voice copied in X's computer.
X now can impersonate most of the kids and take candies in their names.

Mistakes:

  • the neighbor with the lawn permitted X to install its hardware in his yard
  • the houses that gave candies trusted a mask, and didn't ask you to say your name or other things only you could knew

WIKIPEDIA - The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw: it occurs when the data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages returned to other users in the course of regular browsing, without proper HTML escaping. A classic example of this is with online message boards where users are allowed to post HTML formatted messages for other users to read.[14]


houses that give candies - servers
X - the attacker
you and your friends - victims

 
Classic DEV Post from Nov 15 '18

Don't be a mockup developer

Many times as a mobile developer I have to work on apps without the API ready that was crucial for the feature I was implementing. Either the backend was developed by another team that was not entirely in sync with us or our backend team had no chance to implement those endpoints earlier. For this reason, I was not able to satisfy the Definition of Done but it does not mean that I have implemented the UI only.

Pratik Ambani profile image
Life is POC 😇

Sore eyes?

dev.to now has dark mode (in public beta).

Go to the "misc" section of your settings and select night theme ❤️