Cross-Site Scripting

Last updated 11 months ago

An injection attack where malicious JavaScript gets injected into a web application with the intention of being executed by other users.

XSS Payloads

In XSS, the payload is JavaScript code that you want to execute on the target computer.
Two parts
- The intention - what you want the JavaScript to actually do
- The modification - the changes to the code needed to make it execute as every scenario is different

Reflected XSS
- Happens when user supplied data in an HTTP request is included in the webpage source without any validation
- The application does not check the contents of the error parameter, allowing the attacker to insert malicious code
- Potential Impact
  - Attacker could send links or embed them into an iframe on another site containing a JavaScript payload to potential victims getting them to execute code on their browser, revealing session or customer information

Testing for Reflected XSS
- Parameters in the URL Query string
- URL file path
- Sometimes HTTP Headers (unlikely)

Testing for Stored XSS
- Comments on a blog
- User profile information
- Website Listings
DOM Based XSS
- Stands for Document Object Model and is a programming interface for HTML and XML documents
- Represents the page so that programs can change the document structure, style and content
- Exploiting the DOM
  - JavaScript execution happens directly in the browser without any new pages being loaded or data submitted to backend code
  - Execution happens when the website JavaScript code acts on input or user interaction
- Potential Impact
  - Crafted links could be sent to potential victims, redirecting them to another site or steal content from the page or the user's session
Blind XSS
- Similar to Stored XSS, the payload gets stored on the website for another user to view, but in this case, you can't see the payload working or be able to test it against yourself first
- Potential Impact
  - Attacker's JavaScript could make calls back to an attacker's site, revealing the staff portal URL, cookies, and even contents of the portal page that is being viewed
  - Attacker could potentially hijack the staff member's session and have access to the private portal
- Testing for Blind XSS
  - Ensure the payload has a call back (HTTP request) so you know when your code is being executed
  - Tools like xsshunter

Session Stealing
- Targets details of a user's session, things like login tokens
- The following code takes the target's cookie, base64 encodes it and then posts it to a website under the hacker's control to be logged
- Once the hacker has the cookies, they can take over the target's session and be logged as that user

Last updated 11 months ago

An injection attack where malicious JavaScript gets injected into a web application with the intention of being executed by other users.

In XSS, the payload is JavaScript code that you want to execute on the target computer.
Two parts
- The intention - what you want the JavaScript to actually do
- The modification - the changes to the code needed to make it execute as every scenario is different

Reflected XSS
- Happens when user supplied data in an HTTP request is included in the webpage source without any validation
- The application does not check the contents of the error parameter, allowing the attacker to insert malicious code
- Potential Impact
  - Attacker could send links or embed them into an iframe on another site containing a JavaScript payload to potential victims getting them to execute code on their browser, revealing session or customer information

Testing for Reflected XSS
- Parameters in the URL Query string
- URL file path
- Sometimes HTTP Headers (unlikely)

Testing for Stored XSS
- Comments on a blog
- User profile information
- Website Listings
DOM Based XSS
- Stands for Document Object Model and is a programming interface for HTML and XML documents
- Represents the page so that programs can change the document structure, style and content
- Exploiting the DOM
  - JavaScript execution happens directly in the browser without any new pages being loaded or data submitted to backend code
  - Execution happens when the website JavaScript code acts on input or user interaction
- Potential Impact
  - Crafted links could be sent to potential victims, redirecting them to another site or steal content from the page or the user's session
Blind XSS
- Similar to Stored XSS, the payload gets stored on the website for another user to view, but in this case, you can't see the payload working or be able to test it against yourself first
- Potential Impact
  - Attacker's JavaScript could make calls back to an attacker's site, revealing the staff portal URL, cookies, and even contents of the portal page that is being viewed
  - Attacker could potentially hijack the staff member's session and have access to the private portal
- Testing for Blind XSS
  - Ensure the payload has a call back (HTTP request) so you know when your code is being executed
  - Tools like xsshunter

Session Stealing
- Targets details of a user's session, things like login tokens
- The following code takes the target's cookie, base64 encodes it and then posts it to a website under the hacker's control to be logged
- Once the hacker has the cookies, they can take over the target's session and be logged as that user