1.

Phishing Attacks
Phishing is a type of cyber-attack where attackers disguise themselves as legitimate entities
(such as trusted organizations, websites, or individuals) to deceive people into providing
sensitive information, such as passwords, credit card details, or personal identification
numbers (PINs). These attacks often occur through email, text messages, or malicious
websites, and can lead to identity theft, financial loss, or unauthorized access to private
systems.

Attack Methods:
1. Email Phishing: Fake emails that look real are sent to trick you into giving personal
information, like passwords or credit card details.
2. Spear Phishing: A personalized phishing attack that targets a specific person or company
using details like their name or job to make it seem more trustworthy.
3. Whaling: A phishing attack aimed at high-level people in a company, like CEOs, to steal
important information or money.
4. Smishing: Fake text messages are sent to your phone to trick you into clicking harmful
links or sharing personal information.
5. Vishing: Phishing over the phone where someone pretends to be from a trusted source,
like a bank, and asks for private information.
6. Clone Phishing: A copy of a real email is sent again, but with a fake link or file that can
harm your device or steal your data.
7. Pharming: You’re redirected from a real website to a fake one without realizing, and
when you enter your information, it gets stolen.
8. Angler Phishing: Fake customer service accounts on social media try to trick you into
sharing personal information or clicking on harmful links.

Mitigations of phishing
1. Be Aware:
- Learn how to spot phishing emails, texts, or calls.
- Don’t click on links or open attachments from unknown sources.
2. Check Links:
- Hover over links to see where they really go before clicking.
- Be cautious of links that look suspicious or unfamiliar.
3. Use Strong Security:
- Enable multi-factor authentication (MFA) to add an extra layer of protection for your
accounts.
- Keep antivirus software and firewalls updated to catch threats.
4. Spam Filters:
- Use spam filters to block suspicious emails from reaching your inbox.
5. Don’t Share Personal Info:
- Avoid sharing personal information (like passwords or credit card details) through email or
text.
- Be careful with what you share on social media.
6. Verify Before Trusting:
- If you get a strange message from a company, call them directly to verify.
- Don’t trust emails that ask for urgent action or financial information.
7. Report Phishing:
- Report phishing emails or texts to your email provider or IT department.
 8. Keep Software Updated:
- Regularly update your devices, browsers, and security tools to protect against the latest
threats.
Handling:
 Report the phishing attempt to your IT or security team.
 Disconnect compromised accounts and initiate password resets.
 Monitor for suspicious activity in affected accounts.

2. Malware Attacks
Refers to various types of harmful programs designed to infiltrate or damage systems
without the user's consent. As a SOC Tier 1 Analyst, recognizing different types of
malware, preventing them, and responding effectively is critical to maintaining network
security.

Types of Malware Attacks

 Viruses:
Description: Attaches itself to legitimate files and programs, requiring user action
(like opening a file) to spread.
Examples:
File Infecting Virus: Infects executable files; when the file is run, the virus
activates.
Macro Virus: Embedded in documents like Word or Excel files and spreads when
the file is opened.
 Worms:
Description: Self-replicating malware that spreads across networks without user
action.
Examples:
SQL Slammer: Exploits a vulnerability in SQL servers, rapidly spreading across
the internet.
Morris Worm: One of the earliest worms, which caused significant damage to
early internet networks.
 Trojan Horses:
Description: Disguises itself as legitimate software, tricking users into installing
it.
Examples:
Remote Access Trojans (RATs): Allows an attacker to control the infected
system remotely.
Banking Trojans: Steals sensitive financial information like banking credentials.
 Ransomware:
Description: Encrypts files on the victim’s system, demanding payment for the
decryption key.
Examples:
WannaCry: Spread through a vulnerability in Windows SMB, encrypting files
and demanding ransom in Bitcoin.
CryptoLocker: Distributed via email attachments, encrypting files and demanding
a ransom for decryption.
 Spyware:
Description: Secretly collects information about users without their knowledge.
Examples:
Keyloggers: Records every keystroke to steal passwords and sensitive
information.
Adware: Tracks browsing activity to serve targeted ads, often slowing down
systems.
 Rootkits:
Description: Gains unauthorized root-level access to a system, hiding its presence
and giving attackers persistent control.
Examples:
Kernel-mode Rootkit: Alters the operating system kernel to hide malicious
activity.
Bootloader Rootkit: Loads at system startup, making it difficult to detect and
remove.
 Bots/Botnets:
Description: Turns infected devices into "bots" to carry out attacks, often
controlled by a botnet command-and-control server.
Examples:
Mirai Botnet: Infected IoT devices to launch massive Distributed Denial of
Service (DDoS) attacks.
Zeus Botnet: Used for stealing banking information by keystroke logging and
form grabbing.

Prevention of Malware Attacks

 Endpoint Security: Antivirus and Antimalware Software: Regularly update and run
antivirus programs that scan, detect, and block malware.
 Patch Management: Keep operating systems, applications, and firmware updated to
prevent exploitation of known vulnerabilities.
 Email Security:
Email Filtering: Implement filters that block malicious attachments and phishing
attempts.
Disable Macros by Default: Prevent automatic execution of macros in Office
documents to stop macro-based malware.
 Web Security:
Secure Browsing: Block access to known malicious websites using web filtering
tools.
Disable Unnecessary Plugins: Limit browser plugins that may be exploited by
malware.
 User Awareness and Training:
Phishing Education: Train employees to recognize phishing emails that could
deliver malware.
Download Caution: Educate users to avoid downloading software from untrusted
sources.
 Network Segmentation:
Separate Networks: Isolate critical systems on different networks to limit the
spread of malware.
Least Privilege Principle: Limit user permissions to only what is necessary for
their roles to reduce the impact of malware infections.
  Backup Strategy:
Regular Backups: Perform frequent backups of important data to an offline or
secure location.
Backup Testing: Regularly test backups to ensure they can be restored effectively
after an incident.

 Handling Malware Attacks:

1. Detection and Identification
 Monitor SIEM Alerts:
 Suspicious Activity: Monitor for unusual network behavior, such as unexpected
outbound connections or high CPU usage on endpoints.
 Anti-Virus Logs: Correlate alerts from endpoint security solutions (e.g., Windows
Defender, McAfee) indicating possible malware infections.
 Common Indicators:
 System Slowness: Infected machines often exhibit slow performance due to
malware processes consuming resources.
 Unusual Network Traffic: Malware may attempt to communicate with
command-and-control (C2) servers.
 Unauthorized Processes: Detect rogue processes or applications running on
machines.
2. Initial Assessment and Triage
 Verify the Threat:
 False Positives: Determine if the malware detection is legitimate or a false
positive. For instance, antivirus programs may flag benign files.
 Scope of Infection: Assess how many systems or devices are impacted and
whether the malware has spread.
 Identify the Malware:
 Type of Malware: Is it a virus, trojan, ransomware, or worm? Knowing the
malware type helps tailor your response.
 Attack Vector: Determine how the malware entered the network (e.g.,
phishing email, malicious website, or infected USB drive).
3. Containment:
 Isolate Infected Systems:
 Network Isolation: Disconnect infected machines from the network to prevent
further spread of the malware.
 Endpoint Quarantine: Use endpoint security tools to quarantine compromised
systems and block access to sensitive areas.
 Block Communication:
 Firewall Rules: Create rules to block malicious IPs or domains the malware
might use for command-and-control communication.
 Proxy Settings: Modify proxy configurations to block access to malicious
URLs.
 Stop the Spread:
 Disable USB Drives: If malware is spreading via USB, temporarily disable
USB ports on machines across the network.
 Harden Credentials: Reset credentials on potentially compromised accounts
to limit lateral movement by the attacker.
4. Eradication and Remediation
 Clean Infected Systems:
 Anti-Malware Tools: Run full malware scans on infected systems using
updated antivirus or anti-malware software to clean infections.
 Manual Removal: In some cases, manual intervention may be needed,
especially with sophisticated malware or rootkits.
 Restore from Backup:
 Reinstall Operating System: For heavily compromised systems, it may be
necessary to wipe and reinstall the operating system.
 Recover from Backup: Restore data from clean backups, ensuring that the
malware has not affected backup files.
5. Escalation to Tier 2/3 Analysts
 Sophisticated Malware: If the malware is particularly advanced (e.g., using
polymorphic techniques, encryption, or rootkits), escalate to higher-tier analysts.
 Detailed Analysis: Tier 2/3 analysts may perform deep-dive forensic analysis to
determine the full extent of the infection and locate the root cause.
6. Post-Incident Handling
 Incident Documentation:
 Record Details: Document the entire incident, including detection time, type
of malware, infected systems, and actions taken.
 Root Cause Analysis: Perform root cause analysis to understand how the
malware penetrated the network and how it spread.
 Improve Security Posture:
 Patch Vulnerabilities: Apply security patches and harden configurations to
close the vulnerabilities exploited by the malware.
 Review Policies: Update security policies and procedures to prevent similar
malware infections in the future.
3. Distributed Denial of Service (DDOS) Attacks

A Denial of Service (DOS) attack aims to make a network service unavailable to its intended
users by overwhelming it with excessive traffic or exploiting vulnerabilities.

Types of DOS Attacks

1. Volumetric Attacks:
o Description: Flood the network with massive amounts of traffic to consume
bandwidth.
o Examples:
 UDP Flood: Sends large numbers of UDP packets to random ports, causing
the server to respond with ICMP Destination Unreachable packets.
 ICMP Flood (Ping Flood): Overwhelms the target with ICMP Echo
Request (ping) packets.
2. Protocol Attacks:
o Description: Exploit weaknesses in network protocols to deplete server resources.
o Examples:
 SYN Flood: Sends a barrage of SYN requests to initiate TCP connections
but never completes the handshake, exhausting server resources.
 Ping of Death: Sends malformed or oversized packets that crash or
destabilize the target system.
3. Application Layer Attacks:
o Description: Target specific applications or services to exhaust resources at the
application level.
o Examples:
 HTTP Flood: Sends a high volume of HTTP requests to a web server,
overwhelming it.
 Slowloris: Keeps many connections to the target web server open by
sending partial requests, preventing it from closing connections.
4. Distributed Denial of Service (DDOS) Attacks:
o Description: Similar to DOS attacks but originate from multiple compromised
systems (botnets), making them harder to mitigate.
o Examples: Any of the above attacks (Volumetric, Protocol, Application Layer)
launched from numerous sources.

Prevention of DOS Attacks

1. Network and Infrastructure Hardening:
o Firewalls and Intrusion Prevention Systems (IPS): Configure firewalls to detect
and block suspicious traffic patterns indicative of DOS attacks.
o Rate Limiting: Implement rate limiting on servers to restrict the number of
requests from a single IP address.
o Load Balancers: Distribute incoming traffic across multiple servers to prevent any
single server from being overwhelmed.
2. DDOS Mitigation Services:
o Cloud-Based Protection: Utilize services like Cloudflare, Akamai, AWS Shield,
or Imperva that can absorb and mitigate large-scale DDOS attacks.
o Scrubbing Centers: Route traffic through scrubbing centers that filter out
malicious traffic before it reaches your network.
3. Redundancy and Scalability:
o Geographically Distributed Servers: Deploy servers in multiple locations to
distribute traffic and reduce the impact of localized attacks.
o Scalable Infrastructure: Use cloud services that can automatically scale resources
to handle sudden traffic spikes.
4. Secure Configuration:
o Disable Unnecessary Services: Reduce the attack surface by disabling services
and ports that are not in use.
o Patch Management: Regularly update and patch systems and applications to fix
vulnerabilities that could be exploited in DOS attacks.
5. Traffic Analysis and Anomaly Detection:
o Monitor Traffic Patterns: Use monitoring tools to establish baseline traffic
patterns and detect anomalies that may indicate an ongoing attack.
o Behavioral Analytics: Implement systems that use machine learning to identify
unusual traffic behavior in real-time.
6. Implementing Robust Application Design:
o Efficient Coding Practices: Optimize application code to handle high traffic loads
gracefully.
o Caching Mechanisms: Use caching to reduce the load on backend servers by
serving frequently requested content from cache.

Handling DOS Attacks:

1. Detection and Identification
 Monitor Alerts:
o SIEM Tools: Continuously monitor alerts from Security Information and Event
Management (SIEM) systems like Splunk, QRadar, or ArcSight.
o Traffic Anomalies: Look for unusual spikes in traffic volume, high number of
requests from a single IP, or unusual patterns that deviate from the baseline.
 Common Indicators:
o High Bandwidth Usage: Sudden increase in inbound or outbound traffic.
o Service Unavailability: Applications or services becoming slow or unresponsive.
o Error Rates: Increased number of error responses (e.g., 503 Service Unavailable).
2. Initial Assessment and Triage
 Verify the Alert:
o False Positives: Determine if the alert is a false positive by checking if the traffic
spike is legitimate (e.g., due to a marketing campaign or a legitimate surge in
usage).
o Scope of Impact: Identify which services or applications are affected and the
extent of the impact.
 Gather Information:
o Source IP Addresses: Identify the IP addresses generating the excessive traffic.
o Type of Attack: Determine if it’s volumetric, protocol-based, or application layer.
o Duration and Intensity: Assess how long the attack has been ongoing and its
intensity.
 3. Mitigation and Containment
 Implement Rate Limiting:
o Apply rate limits to restrict the number of requests from individual IP addresses or
regions.
 Block Malicious IPs:
o Use firewalls or access control lists (ACLs) to block IP addresses identified as
sources of the attack.
 Engage DDOS Protection Services:
o Contact Providers: Notify your DDOS mitigation service provider to activate
their protection mechanisms.
o Traffic Redirection: Work with your provider to reroute traffic through their
scrubbing centers.
 Enable WAF Rules:
o Configure Web Application Firewalls (WAFs) to block malicious traffic patterns
specific to the ongoing attack.
4. Communication and Coordination
 Notify Stakeholders:
o Inform relevant teams (e.g., IT, Network, Management) about the incident and
ongoing mitigation efforts.
 Provide Updates:
o Regularly update stakeholders on the status of the attack and the effectiveness of
mitigation measures.
5. Escalation to Tier 2/3 Analysts
 Complex Attacks:
o For sophisticated or persistent attacks, escalate the incident to higher-tier analysts
for deeper investigation and advanced mitigation strategies.
 Detailed Analysis:
o Tier 2/3 analysts may perform comprehensive traffic analysis, engage with external
DDOS mitigation services, or implement more complex network configurations.
6. Post-Incident Handling
 Documentation:
o Record all details of the incident, including detection time, attack type, mitigation
steps taken, and impact on services.
 Root Cause Analysis:
o Analyze how the attack was conducted, identify vulnerabilities exploited, and
assess the effectiveness of the response.
 Review and Improve:
o Update incident response plans based on lessons learned.
o Implement additional preventive measures to strengthen defenses against future
attacks.

4. SQL Injection (SQLi)

A SQL Injection (SQLi) attack involves inserting malicious SQL statements into a database
query through unsanitized user inputs, allowing an attacker to manipulate, retrieve, or delete data.
Types of SQL Injection Attacks

1. In-Band SQL Injection:

o Description: The attacker uses the same communication channel to execute SQL queries
and retrieve results.
o Examples:
 Error-Based SQLi: Relies on database error messages to gather information
about the database structure.
 Union-Based SQLi: Uses the SQL UNION operator to combine multiple SQL
queries and retrieve data from other database tables.
2. Blind SQL Injection:
o Description: No direct feedback is given to the attacker about the success of the query,
making it more challenging but still effective.
o Examples:
 Boolean-Based Blind SQLi: Manipulates queries that return TRUE or FALSE,
allowing the attacker to infer the data structure through boolean conditions.
 Time-Based Blind SQLi: Sends queries that result in time delays (e.g., SLEEP()
function) if the query returns true, allowing attackers to extract data indirectly.
3. Out-of-Band SQL Injection:
o Description: Attacker executes SQL commands, but results are returned through a
different communication channel (e.g., HTTP, DNS requests).
o Examples: This method is used when in-band and blind SQLi fail due to server
configurations.

Prevention of SQL Injection Attacks

1. Input Validation and Sanitization:

o Sanitize Inputs: Ensure all inputs are cleaned, sanitized, and validated before being
processed by SQL queries.
o Allowlists: Implement allowlists to limit user inputs to expected values (e.g., for form
inputs or URL parameters).
2. Use Prepared Statements (Parameterized Queries):
o Description: Prepared statements use placeholders (?) instead of directly inserting user
input into SQL queries, preventing malicious code execution.
o Example (PHP):

php
Copy code
$stmt = $pdo->prepare('SELECT * FROM users WHERE username = ?');
$stmt->execute([$username]);

o Impact: Prevents the input from being treated as part of the SQL query.
3. Stored Procedures:
o Description: Stored procedures execute predefined SQL code on the database server side,
reducing the risk of SQL injection by not allowing user-supplied SQL commands.
o Example:

sql
Copy code
EXECUTE getUserInfo @username = 'user1';

o Impact: Limits direct interaction with the SQL database through queries.
 4. Escape Dangerous Characters:
o Escape Quotes: Use functions like mysqli_real_escape_string() in PHP to escape
special characters such as single quotes (').
o Use Object Relational Mappers (ORM): ORMs like SQLAlchemy or Hibernate
automatically escape potentially dangerous inputs.
5. Least Privilege Principle:
o Database Access Control: Limit database privileges for application users to only what's
necessary. Ensure accounts interacting with the database have limited access.
o Example: Deny DELETE or DROP table privileges to the web application user account.
6. Web Application Firewalls (WAF):
o Deploy WAFs: Use Web Application Firewalls to filter and block common SQL injection
patterns before they reach your application. Solutions like ModSecurity, Cloudflare
WAF, and AWS WAF can block SQLi attempts.
7. Database Error Handling:
o Disable Error Reporting: Do not reveal database error messages to users. Handle errors
gracefully on the server-side and display generic error messages to users.
o Impact: Prevents attackers from gaining insights into database structure and
vulnerabilities through error messages.

1. Detection and Identification

 Monitor Alerts:
o SIEM Tools: Review alerts from Splunk, QRadar, or Elastic Stack for patterns
indicative of SQLi attempts (e.g., injection strings like ' OR 1=1 or UNION
SELECT).
o WAF Logs: Regularly check your WAF logs for blocked SQL injection attempts
or suspicious query patterns.
 Common Indicators:
o Unusual Database Queries: Repeated or unusual queries that indicate someone is
attempting to inject SQL statements.
o Error Logs: Frequent database errors or abnormal error codes related to SQL
queries, such as SQL syntax error.
o Sudden Data Access: Unexplained access to sensitive tables or a spike in read
operations on certain database tables.

2. Initial Assessment and Triage

 Verify the Alert:

o False Positives: Check if the alert was triggered by legitimate users, such as
administrators executing complex queries or poorly structured queries by
developers.
o Impact Assessment: Identify if sensitive data has been accessed or if unauthorized
changes have been made to the database.
 Gather Information:
o Source of the Attack: Identify the IP address, user account, or system sending the
malicious SQL commands.
o Entry Points: Determine which application input fields or APIs were used for
SQL injection.
3. Mitigation and Containment

 Block the Attacker:

o IP Blocking: Use firewalls, WAF, or ACLs to block the IP addresses attempting to
exploit the vulnerability.
o Suspend Accounts: Temporarily disable compromised user accounts that might be
used to carry out the attack.
 Patch Vulnerabilities:
o Sanitize Inputs: Ensure immediate sanitization of vulnerable input fields.
o Apply Database Patches: Apply security patches for the database management
system (e.g., MySQL, PostgreSQL).
 Database Logging:
o Enable Query Logs: If not already enabled, ensure detailed logging of database
queries to track any unauthorized access or manipulation.
o Limit Database Access: If the attack is ongoing, limit database interactions until
the threat is mitigated.

4. Communication and Escalation

 Notify Stakeholders:
o Inform database administrators, developers, and management about the attack and
mitigation efforts.
 Escalate if Necessary:
o Escalate the incident to Tier 2/3 analysts if the SQL injection attempt is complex,
persistent, or has resulted in significant data loss or compromise.

5. Post-Incident Handling

 Root Cause Analysis:

o Investigate how the attacker successfully injected SQL commands, which input
fields or APIs were vulnerable, and if any sensitive data was exfiltrated.
 Patch and Strengthen Defenses:
o Implement input validation, deploy prepared statements, and apply patches to
prevent future SQLi attacks.
 Document and Review:
o Record all details of the incident, including SQLi payloads used, entry points, data
compromised, and remediation steps.
o Review the incident response and refine detection and response procedures based
on lessons learned.

----------------------------------------------------------------------------------------------------------------------
5. Man-in-the-Middle (MitM) Attacks
The threat actor's primary goal is to intercept and possibly alter communication between two
parties to gain unauthorized access to sensitive information, such as passwords, financial data,
or private messages.
Attack Methods:
Session Hijacking: The attacker intercepts and takes control of a user session, often to steal
sensitive information or impersonate the user.
SSL Stripping: Downgrading a secure HTTPS connection to an unsecure HTTP connection,
allowing the attacker to view and potentially alter the transmitted data.
 Packet Sniffing: Capturing network traffic to analyze and extract valuable data, such as
login credentials or personal information.
DNS Spoofing: Manipulating DNS records to redirect users to malicious websites that
appear legitimate, where they may enter sensitive information.
Wi-Fi Eavesdropping: Intercepting data over unsecured or poorly secured Wi-Fi networks
to gather sensitive information.
Email Interception: Intercepting email communications to gain access to confidential
information or to alter the content of the message.

Handling:
-Terminate Malicious Sessions: If a MitM attack is identified, terminate the malicious
session and quarantine the compromised devices.
-Block Malicious IPs: Use firewall rules and iptables to block the attacker’s IP address.
-Implement ARP Spoofing Protection via network equipment or configure Static ARP entries
for critical systems.
-Enforce strict DNS security policies like DNSSEC to prevent DNS spoofing.
-Ensure proper certificate validation using Public Key Pinning (HPKP) or enforcing the use
of trusted Certificate Authorities (CAs).

Prevention:
-Patch and Update Systems: Ensure all systems and applications are patched against
vulnerabilities that could be exploited by MitM attacks (e.g., SSL/TLS vulnerabilities).
-User Awareness: Educate users on the risks of connecting to untrusted Wi-Fi networks, and
encourage the use of VPNs for secure communication.
-Monitor the Network for Further Anomalies: Continue to monitor the network for any
indications of ongoing or residual attacks.
-Encryption: Ensure all sensitive communications are encrypted using SSL/TLS to mitigate
the impact of MitM attacks.
-Multi-factor Authentication (MFA): Implement MFA to protect against session hijacking
during an active MitM attack.
-Network Segmentation: Use VLANs and proper network segmentation to reduce the attack
surface.
-Strong Certificate Management: Ensure robust certificate lifecycle management, including
regular updates and revocation checks.

6. Password Attacks
The threat actor's primary goal is to gain access to credentials, such as passwords and other
sensitive information.

Attack Methods:
1. Brute Force: Repeatedly trying various combinations of passwords until the correct one is
found.
2. Dictionary Attack: Using a predefined list of common passwords or words to guess the
correct password.
3. Phishing: Deceptively tricking individuals into revealing their credentials through
fraudulent emails or websites.
4. Man-in-the-Middle (MITM): Intercepting and potentially altering communication
between two parties to steal passwords or other sensitive data.
5. Rainbow Table Attack: Utilizing precomputed tables of hashed passwords to quickly
reverse cryptographic hash functions and retrieve plain text passwords.
 6. Social Engineering: Manipulating individuals into divulging confidential information,
often by exploiting trust.

Handling:
1. Block the IP address involved in the attack.
2. Block the domain (if applicable).
3. Notify affected users and instruct them to reset their passwords.
4. Notify management of the breach.
5. Document and report the incident.

Prevention:
1. Implement rate limiting (e.g., limit the number of password attempts within a set
timeframe).
2. Enable account lockouts after a certain number of failed login attempts.
3. Enforce the use of strong and unique passwords.
4. Implement Multi-Factor Authentication (MFA).
5. Conduct regular penetration testing to identify vulnerabilities.
6. Train employees on security best practices (this is crucial).
7. Monitor user activity for suspicious behavior.
8. Ensure systems are regularly patched and updated to protect against known vulnerabilities

7. Cross-Site Scripting (XSS)

A type of security vulnerability found in web applications where attackers inject malicious
scripts into webpages viewed by other users. These scripts can run in the user's browser,
allowing attackers to steal sensitive data (like cookies or session tokens), manipulate web
content, or perform actions on behalf of the user without their consent.
XSS exploits occur when web applications fail to properly sanitize user input, allowing attackers
to insert and execute harmful code.

Types of XSS:-
1. Stored XSS (Persistent XSS)
- The attacker’s harmful script is saved (or "stored") on a website, like in a comment or user
profile. When other users visit the page, the script runs in their browser, allowing the attacker to
steal their data or control their actions.

2. Reflected XSS
- The attacker tricks a user into clicking a link that sends their harmful script to a website. The
website “reflects” the script back in its response, and the script runs in the user's browser. This
type usually happens through links in emails or search forms.

3. DOM-based XSS
- The script is injected into the webpage and runs directly in the user's browser by exploiting
how the webpage processes data (Document Object Model or DOM). In this case, the
vulnerability is entirely in the browser and doesn't involve the server.

Mitigations of XSS:-
1. Check and Clean User Input:
- Always check and clean any data users enter (like in forms) so it can’t contain harmful code.
2. Encode Data Before Displaying:
 - When showing user-generated content on a webpage, make sure special characters (like < or
>) are displayed as text, not code.
3. Use Security Settings:
- Set up a Content Security Policy (CSP) to control which scripts can run on your site. This
blocks untrusted scripts from running.
- Enable X-XSS-Protection in older browsers to block simple XSS attacks.
4. Avoid Risky JavaScript Functions:
- Don’t use functions like eval() with user data, because they can allow harmful scripts to run.
5. Protect Cookies:
- Set cookies to HttpOnly so they can’t be accessed by JavaScript, making it harder for attackers
to steal user data.
6. Use Safe Frameworks:
- Use web development frameworks like React or Angular that automatically protect against
XSS by handling user input safely.
7. Careful with DOM Changes:
- Avoid inserting untrusted data directly into the webpage using methods like innerHTML.
Instead, use safer methods like textContent.
8. Test for Security:
- Regularly test your website for security issues to find and fix any XSS vulnerabilities