BOOK THIS SPACE FOR AD
ARTICLE ADXSS stands for cross-site scripting. It is counted among the OWASP top 10 vulnerabilities for web applications. XSS is an injection attack where malicious javascript is injected into a web application and is executed by other users. Attackers take advantage of this vulnerability to conduct malicious activities. For example:
Session Stealing — an attacker can steal cookies from an authenticated session and gain access to login tokens that will allow them to login as the victim.Keylogging — an attacker can log everything you type on your browser(including login credentials and banking details) and send your keystrokes to their own server.Port Scanning — in some cases, XSS can even be used to identify other hosts on an internal network!There are two types of XSS attacks that I will be covering in this piece. The first is Reflected XSS, for which I will be providing demonstrations, the second is Stored XSS, which I’ll be giving a brief overview of!
XSS vulnerabilities are discovered by testing entry points. Entry points that may be vulnerable to XSS include:
URL query stringsURL file pathsComments on a blogUser profile informationInput fields with drop down menusReflected/Non-persistent XSS attack is when an attacker gets a script to execute within another user’s browser. These attacks are made possible when user-supplied data in an HTTP request is included in the webpage source without any validation.
Say for example there is a web application that let’s users search for items in a store. You enter in the following term into the search box: table. The application then makes a request like so:
https://example.com/search?term=tableUpon reviewing the source code of the page, you notice the application has included the user supplied search term in the webpage’s source:
<div class = “example class”>
<p> You searched for: table </p>
</div>
Assuming that there is no input validation or processing being applied to the data, an attacker can replace the term with malicious JavaScript code. For example, instead of entering “table” into the search box, they enter:
<script>alert('XSS');</script>After entering the following payload(Javascript code), if the application is indeed vulnerable to xss, just like the first search, the payload will be included in the source and the javascript will execute causing an alert box containing the string of text(‘XSS’) will pop up on the page!
This serves as the proof of concept for the attacker. The application is vulnerable to XSS; Javascript code was executed within the browser.
Now, you may be wondering “why is this considered dangerous?” Keep in mind that the value entered into the search box is also the value of the URL parameter.
https://example.com/search?=<attackers-malicious-javascript>So if an attacker were to copy the link including their payload and email it to many different people in a phishing attempt, whoever clicked that link will have the code executed in their browser.
Unlike with reflected xss, a stored xss does not execute within a single user’s browser. The attacker’s payload is instead stored on the web application itself(such as in a database) and is thus executed anytime a user visits the webpage. Because XSS attacks are self-contained within the application itself, the attacker doesn’t need to trick users into making a request containing their exploit(such as through a phishing attempt).
A stored XSS attack is made possible when a website does not sanitize user input before it is inserted into the database.
To discover a stored XSS vulnerability, an attacker would need to test possible points of entry where it seems data is taken from a user, stored, and then shown to other user’s. Examples Include:
Comments on a blogUser profile informationInput fields with dropdown menusI’m going to use the intentionally vulnerable OWASP Broken Web Application to demonstrate how to test for reflected xss using BurpSuite and some JavaScript code!
Making sure that BurpSuite’s intercept is off, launch the OWASP BWA by entering its ip address in the address bar of your browserThe attacker’s payload(malicious javascript code) depends on the context of the XSS vulnerability. That is, a different method of exploitation may be needed depending on where the controllable data appears and what type of input validation is being used.
There are measures put in place to ensure that user input(untrusted data) is only displayed within a user’s browser but never executed.
Common forms of XSS defenses include:
HTML Entity and Attribute EncodingURL EncodingJavascript EncodingCSS Hex EncodingThat’s what I’ve learned so far about XSS Vulnerabilities! I hope you were able to learn something as well! Thankyou so much for reading.
Upcoming Pieces Include:
Exploiting Stored XSS: Basic, Medium, and AdvancedOvercoming/Circumventing XSS DefensesUntil then, Happy Hacking!