Cross Site Scripting(XSS)
Cross Site Scripting otherwise called as XSS is a code injection where an attacker injects a malicious client-side code into a web application or web page and allows the attacker to execute the malicious code in the victim’s browser.The victim’s browser has no way to know that the script is malicious and should not be trusted, and the client will somehow end up executing the script because the browser is made to believe that the script came from a trusted source, the malicious code lets the attacker access any cookies, session tokens, and other sensitive information stored in the browser and used on that site.
XSS allows an attacker to compromise the interactions victims have with the web application. XSS might seem lame but when you compare it with SQL Injection and other vulnerabilities but when XSS can often be combined with other vulnerabilities to create a devastating effect.XSS is one of the most dangerous and most common vulnerabilities and is ranked #7th on OWASP 2020(Open Web Application Security Project).
Typically the JavaScript code is inputted into the input fields of the web page and executed or the code is embedded in a URL and sent to the victim.A web page or web application is susceptible to XSS if the webpage gets unsanitized user input. This user input must then be interpreted by the victim’s browser. XSS attacks can be done using Vb-script, ActiveX, Flash and also CSS. However, they are more common in JavaScript majorly because JavaScript is fundamental to most browsing experiences. JavaScript is the programming language of HTML and the web used for designing the behavior of a web page.
Introduction to JavaScript
JavaScript is one of the most popular programming languages on the earth and is used to add interactivity to web pages,process data ,as well as create various applications.The programs in JS are called scripts and these scripts can be written inside a web page’s HTML and can be run automatically as the page loads.JavaScript programs can be inserted into any part of an HTML document with the help of the <script> tag.
● console.log()
● document.write()
● alert()
Each of the above methods have different ways of outputting the content. Though ‘document.write()’ is used when we want to print the content onto a HTML Document. Also ‘console.log()’ is mainly used when we are debugging JavaScript code and ‘alert()’ displays an alert box with a specified message.
Let’s look at a basic JS code
Here,the script pops up an alert box with the message ‘Hello fellas’.
How XSS works?
A typical server side XSS attack involves three parties:Attacker,target website and a victim whose browser is exploited.
XSS vulnerabilities occurs when:
● User Input is not validated
● Browser output is not HTML encoded
Types of XSS
XSS can occur on client side and also server side and can be generally characterized into three categories depending on the context and the impact they create:
● DOM (Document Object Model XSS or Type- 0)
● Stored (Persistent XSS or Type- I)
● Reflected (Non-Persistent or Type- II)
★ DOM XSS
A DOM-based XSS is possible if the web application writes data to the Document Object Model without proper sanitization…. When a client-side script is executed, it can use the DOM of the HTML page where the script runs.
★ Stored XSS
Stored XSS also known as persistent XSS arises when a web application receives data from an untrusted source and includes that data in the future HTTP responses. Stored XSS occurs when the data entered by a user is stored in the server of the application and then displayed to other users without being filtered or sanitized appropriately. Stored XSS vulnerabilities are generally more common in applications that allow interaction between end users. This flavor of XSS is the most critical among the three for many reasons. This XSS is persistent and the malicious code is executed every time a user accidentally triggers the payload when visiting a website.
★ Reflected XSS
Reflected XSS occurs when the injected code is reflected off the server in the form of an error message, search result, etc. Reflected XSS is the most common vulnerability in today’s web applications. Compared to stored XSS, reflected XSS is less dangerous.
Example:
Reflected XSS
Payload:
testphp.vulnweb.com/listproducts.php?cat=<script>alert(‘you got XSSed’)</script>
Stored XSS
Enter this payload into the name dialog box of the user info page and click on update.
Payload:
<script>alert(1)</script>
DOM XSS
Payload:
testphp.vulnweb.com/listproducts.php?cat=<script>alert(document.URL)</script>
Impacts of XSS
● Keylogging
● Cookie theft
● Phishing
● URL Redirection
● For capturing clipboard contents
● Can steal browser history and search queries
Prevention
❏ If you are a user,
➢ Use client XSS filter i.e.,add-ons like
➔ noscript(Firefox)
➔ ships one(IE)
➔ the ‘XSS auditor’(chrome)
➢ Turn off JavaScript
❏ If you are the web application’s owner(/developer),
➢ Don’t use user-provided data in an unencoded/unfiltered way
➢ Use secure frameworks
➢ Use Content Security Policy, sand boxed iframes, …
P
