Cross-site scripting (XSS) is a type of security vulnerability that allows an attacker to inject malicious code into a web page. This code can then be executed by the victim's browser, which can lead to a variety of malicious effects, such as stealing cookies, hijacking sessions, or redirecting the victim to malicious websites.
Assuming we have the following index.php as the page we need to attack.
An example of its normal use would be.
But if the attacker puts <script>alert('1')</script> they will get a pop up outputting ‘1’. This script can be any script that can cause serious harm.
This is usually done for phishing link (the link already has the attack script), malicious code is injected to affect the is used to generate dynamic content containing user input that can be processed without checking. This kind of attack is carried out with JavaScript in the user’s browser. A more detailed explanation provided in the first 2 links in further readings. Below is an example or DOM XSS found by trying tags in the search bar.
The popup will appear when the script is search.
Similar to DOM XSS but doesn’t react to the DOM. The below shows insertion of malicious code into a input Track order for a pop up alert.
It will now show the pop up in place of the track order ID.
Stored XSS is a type of cross-site scripting (XSS) attack in which malicious code is stored on a web server. This code can then be executed by any user who visits the web page that contains it. The tester will try storing injections in different input fields.
Sometime the input fields may try sterilize the inputs as shown below by removing the <script>a on the username
We then try edit it to see if we can trick it to sterilizing a useless portion.
Then whomever opens a page that has your username will get the attacked by the script, in this case a popup.
This is an automated tool for xss. Assuming we have a page as below
Intercept it and copy the request without the header.
In the terminal
Change the hello into XSS so that the tool knows where to attack.
It will inform you how many payloads worked
This is when a script is just injected into an API request. The example below we have the email changed into a script for a pop up displaying xss to be stored. This may work even when the script was rejected on the front-end input fields. Here we capture a signup request and send it to a repeater.
We then change the email field into a script to display a pop up diplaying xss. And send it.
The script is now stored as the email of the user and will display a pop up whenever loaded.
Things to consider: