Security Blogs

Uncategorized

Basics of Cross-Site Scripting (XSS)

Cross-site Scripting, or XSS, is a type of computer vulnerability that is commonly found in web applications, that allows an attacker to inject malicious client-side scripts into web-pages that get executed when other users visit that page.

XSS attacks occur when an attacker uses a web application to send a malicious code, or browser script, to a multiple end-users. XSS attack vectors are usually inserted in input fields.

A typical attack vector used to test XSS is:

<script>alert('1')</script>

Types of Cross-Site Scripting Attacks:

Generally, there are three types of XSS attacks:

  1. Reflected Cross-site Scripting
  2. Stored Cross-Site Scripting
  3. DOM-based Cross-site Scripting
1. Reflected XSS:

In this variant of XSS, the attacker injects the malicious browser script and it gets executed instantly on the client-side, in the form of a pop-up message box. The returned response can be a search result, error message, and so on.

2. Stored XSS:

In the case of Stored XSS, the malicious browser script may not execute instantly, instead it gets stored on the target server, and whenever that webpage is loaded or refreshed, each time the script gets executed.

3. DOM-based XSS:

The DOM, or the Document Object Model, is a programming API for HTML and XML documents. It defines the logical structure of documents and how a document is accessed, handled or manipulated. DOM-based XSS revolves around these Object Models.

DOM-based XSS is an XSS attack where the attack vector is executed as a result of modifying the DOM environment in the victim’s browser used by the actual client-side script, resulting the client-side code to run in an unexpected manner. Simply put, DOM-based XSS attacks occur when the entire flow of malicious data takes place within the victim’s browser.

How Cross-Site Scripting works:

The attacker injects a payload into a target website’s database by submitting the vulnerable input field with the malicious JavaScript code. Then he uses social engineering or phishing to get the victim to request that web page. The web server serves the victim’s browser with the page that had the attacker’s payload as part of the source code of the web page. The victim’s browser executes the malicious script. The attacker retrieves the desired output from the received HTTP request on the web server.

The image below shows the execution of an XSS attack to steal a user’s cookie:

Anatomy of an XSS attack

Example Scenario:

User input reflected on web page

In the image below, the query parameter is reflecting back my input (hello), both in the URL and on the web-page itself, so it might be vulnerable to XSS.

Upon injecting the above-mentioned JavaScript code, I get a pop-up confirming that the site is vulnerable to XSS.

XSS exploited

What happened here is, the webpage took my malicious script as a legitimate piece of code, and executed the function of alert that I had put it in there, resulting in a pop-up message box as the response.

Mitigations (Preventions for an XSS Attack):

  • Escaping User Input
  • Sanitizing User Input
  • Validating User Input
  • Using Security Headers; like X-XSS-Protection.

Leave a Reply

Your email address will not be published. Required fields are marked *