5.3.1 XSS Anatomy
Last updated
Last updated
Cross-Site Scripting (XSS) constitutes a client-side web vulnerability enabling attackers to embed malicious scripts into web pages.
This vulnerability often arises from inadequate input sanitization/validation within web applications.
Attackers exploit XSS vulnerabilities to insert harmful code into web applications. Given that XSS is a client-side vulnerability, these scripts execute within the victim's browser.
XSS vulnerabilities impact web applications deficient in input validation and reliant on client-side scripting languages such as JavaScript, Flash, CSS, etc.
XSS vulnerabilities and attacks are commonly categorized into two main types: stored/persistent and reflected.
Typically, XSS attacks serve various purposes, such as:
Cookie stealing/Session hijacking: This involves acquiring cookies from users logged into authenticated sessions, thereby gaining unauthorized access as other users using the authentication information stored within a cookie.
Browser exploitation: Exploiting vulnerabilities present within the browser itself.
Keylogging: Recording keystrokes made by users while interacting with a web application.
Phishing: Embedding fraudulent login forms into web pages to deceive users into disclosing their credentials.
A typical test to check for an XSS vulnerability is to insert JavaScript payload code in a form as:
but of course, there are various input sanitisation techniques on current websites, so it is recommended to try the payloads on the github below. (if it doesn't work use UPPER_CASE).
The three common tipology of XSS are:
Stored XSS attacks transpire when the attacker inserts malevolent code into a web application's database or storage system, such as a comment section or user profile field. Subsequently, all users who access the affected page are served the malicious code, irrespective of their session or browser state.
Reflected XSS attacks unfold through the injection of malicious code into input fields of a web application, such as search boxes, forms, or URLs. The injected input is then reflected back to the user, often in the guise of an error message, search results, or page redirection. Upon interaction, such as clicking a link or submitting a form, the malicious code is executed within the victim's browser.
DOM-Based XSS attacks arise when vulnerable code exists within the Document Object Model (DOM) of a web page. The attacker exploits weaknesses in the web application's JavaScript code to manipulate script variables' values and introduce malicious code into the DOM. Upon loading the web page, the victim's browser executes the embedded malicious code.
