Cross-site scripting (XSS)



Description

Cross-site scripting (XSS) is a type of security vulnerability that allows an attacker to inject malicious code into a web page. This code can then be executed by the victim's browser, which can lead to a variety of malicious effects, such as stealing cookies, hijacking sessions, or redirecting the victim to malicious websites.


Examples/Methods/Results

Simple example

Assuming we have the following index.php as the page we need to attack.

No image found

An example of its normal use would be.

No image found

But if the attacker puts <script>alert('1')</script> they will get a pop up outputting ‘1’. This script can be any script that can cause serious harm.

No image found

DOM

This is usually done for phishing link (the link already has the attack script), malicious code is injected to affect the is used to generate dynamic content containing user input that can be processed without checking. This kind of attack is carried out with JavaScript in the user’s browser. A more detailed explanation provided in the first 2 links in further readings. Below is an example or DOM XSS found by trying tags in the search bar.

No image found

The popup will appear when the script is search.

No image found

Reflected

Similar to DOM XSS but doesn’t react to the DOM. The below shows insertion of malicious code into a input Track order for a pop up alert.

No image found

It will now show the pop up in place of the track order ID.

No image found

Stored

Stored XSS is a type of cross-site scripting (XSS) attack in which malicious code is stored on a web server. This code can then be executed by any user who visits the web page that contains it. The tester will try storing injections in different input fields.

No image found

Sometime the input fields may try sterilize the inputs as shown below by removing the <script>a on the username

No image found

We then try edit it to see if we can trick it to sterilizing a useless portion.

No image found

Then whomever opens a page that has your username will get the attacked by the script, in this case a popup.

No image found

Xsser

This is an automated tool for xss. Assuming we have a page as below

No image found

Intercept it and copy the request without the header.

No image found

In the terminal

No image found

Change the hello into XSS so that the tool knows where to attack.

No image found

It will inform you how many payloads worked

No image found

API

This is when a script is just injected into an API request. The example below we have the email changed into a script for a pop up displaying xss to be stored. This may work even when the script was rejected on the front-end input fields. Here we capture a signup request and send it to a repeater.

No image found

We then change the email field into a script to display a pop up diplaying xss. And send it.

No image found

The script is now stored as the email of the user and will display a pop up whenever loaded.

No image found

Checklist

Things to consider:

No image found

Further Readings

DOM XSS
OWASP XSS