Possible Malicious Actions
- Cookie and Session Hijacking
- Redirection visitor to another place
- Creating DoS (Denial-of-Service) and DDos (Distributed Denial-of-Service) attacks.
- Scanning Internal Network
- And more
- Type I – Persistent XSS: if an attacker is able to bypass user input validation or an attacker is able to execute malicious SQL query while performing SQL injection attack then malicious content can be injected which leads to persistent XSS attack or Type I XSS attack.
- Type II – Non-Persistent XSS: if an attacker can trick user to click on malicious URL that holds payload of non-persistent XSS attack, then the malicious code will be included within HTTP response thus browser will execute it.
- DOM Based XSS: is similar to Non-persistent XSS, but the response is not holding any payload. Code injection occurs inside user’s browser because the exploit depends on Client-side vulnerabilities.
Injected Malicious code will be executed inside HTML5 pages, but this is not a weak point for HTML5 because once the script injected, browser will execute it according to Cross-origin embedding policy. Also, there are no measures to distinguish between malicious code and trusted code when they are received from the same origin, then browser will execute all loaded scripts under the same privilege according to Same-origin policy.
Any malicious code if injected in form of embedded script or in-line script will be executed by browser for all types of HTML documents like HTML5 and previous versions, thus attacker can perform any action based on injected code, to perform malicious actions that is allowed by Same-origin policy in that web-page.