Introduction to XSS - Methods, Impact and Prevention
When searching for hacking tutorials or reading through write ups, definitely you will come across the term XSS. In this post, I am going to explain what is XSS, what are it's impacts and how to achieve it with few examples.
XSS aka Cross Site Scripting is a vulnerability which allow the attacker to inject and execute JavaScript code on the target website. This allow attacker to log the victim details, make a phishing page, bypass csrf, get cookies and many more.
XSS is of 2 types. Stored and Reflected.
Stored XSS is the type of XSS when the user entered data is stored in the server and the displayed in any other page. For example parameters like name, place, about etc can be vulnerable to stored XSS.
That said, fields like password are stored once and never retrieved or showed in future, hence it is not vulnerable to stored XSS.
When this can be exploited?
How to Exploit?
XSS aka Cross Site Scripting is a vulnerability which allow the attacker to inject and execute JavaScript code on the target website. This allow attacker to log the victim details, make a phishing page, bypass csrf, get cookies and many more.
XSS is of 2 types. Stored and Reflected.
Stored XSS is the type of XSS when the user entered data is stored in the server and the displayed in any other page. For example parameters like name, place, about etc can be vulnerable to stored XSS.
That said, fields like password are stored once and never retrieved or showed in future, hence it is not vulnerable to stored XSS.
When this can be exploited?
- The developer isn't validating user inputs.
- The developer added certain validations but they are client side only.
How to Exploit?
- Check for fields like name, about, place, website, etc while registering or editing profile/ settings because they reflect in many places.
- Inject XSS payloads to them and click submit. Now check how the server responds to it.
Basic payloads that you can try are
"><script>alert(document.domain)</script>
"><img src=X onerror="alert(document.domain)">
Now what happens is
The "> will close the input tag and the script will be added as a new tag.
Some developers may add certain filters to filter out the script tag. In that case, you can try the second one. What it'll do is `It closes the current open tag, then create a new image tag with source X and if there is an error, an alert will trigger. Since there is no image with name X, definitely the alert will trigger`.
If the open and closing tags are converted to < and > you can try to convert it to %3C & %3E or \x3c or \u003c and etc.
The "> isn't much important in Stored XSS but we're adding it because if the content is loaded in an input box in future somewhere, then also it'll trigger.
Reflected XSS is the type of XSS when the user input is reflected on response but not stored. This happens mainly in search system.
For example consider a url https://site.com/search?q=query and the query is reflected in the page, this may be vulnerable to reflected XSS. Based on how the text is reflected, you can try various methods like
"><script>alert()</script>
"><img src=X onerror="alert()"/>
" onmouseover="alert()
and so on. We already talked about the first 2. Now Let's check what will happen in 3rd case.
The " will close the value attribute and the next part will add a onmouseover that is hover event listener.
So you can try the url like this https://site.com/search?q="+onmouseover="alert()
Impact of XSS
- Create fake login page in the site itself for phishing
- Steal user's cookie
- Redirect user to unwanted sites
- Steal csrf token and perform critical actions on behalf of the user like changing email, mobile or request for account deletion.
- Steal user's data from page.
- Deface a website
and many more
How to prevent XSS
- Add a validation at client side to prevent it from the root
- Add a server side validation to all user inputs and also for other parameters from each request
- Use the X-Xss-Protection Header. So Browser's XSS auditor will try to block it.
- Use Content-Security-Policy aka CSP to define the script src. Better allow execution from a dedicated sub domain which hosts js/ css files only.
Note : Browser's XSS auditor will only be able to block certain reflected xss payloads. They can't block stored xss because it is retrieved from server side and served along with the site.
Read more about X-Xss-Protection header here X-Xsss-Protection | MDN
Read more about CSP here CSP | MDN
Contact me or Support me
*This post is to give an outlook to noobs and covers only XSS basics. But I'll try to create posts that cover more information in future.
Liked this post? Buy me a coffee
Comments
Post a Comment