4.1 XSS Anatomy
Last updated
Last updated
Cross-Site Scripting (XSS) constitutes a client-side web vulnerability enabling attackers to embed malicious scripts into web pages.
This vulnerability often arises from inadequate input sanitization/validation within web applications.
Attackers exploit XSS vulnerabilities to insert harmful code into web applications. Given that XSS is a client-side vulnerability, these scripts execute within the victim's browser.
XSS vulnerabilities impact web applications deficient in input validation and reliant on client-side scripting languages such as JavaScript, Flash, CSS, etc.
XSS vulnerabilities and attacks are commonly categorized into two main types: stored/persistent and reflected.
Typically, XSS attacks serve various purposes, such as:
Cookie stealing/Session hijacking: This involves acquiring cookies from users logged into authenticated sessions, thereby gaining unauthorized access as other users using the authentication information stored within a cookie.
Browser exploitation: Exploiting vulnerabilities present within the browser itself.
Keylogging: Recording keystrokes made by users while interacting with a web application.
Phishing: Embedding fraudulent login forms into web pages to deceive users into disclosing their credentials.
A typical test to check for an XSS vulnerability is to insert JavaScript payload code in a form as:
but of course, there are various input sanitisation techniques on current websites, so it is recommended to try the payloads on the github below. (if it doesn't work use UPPER_CASE).
The three common tipology of XSS are:
Stored XSS attacks transpire when the attacker inserts malevolent code into a web application's database or storage system, such as a comment section or user profile field. Subsequently, all users who access the affected page are served the malicious code, irrespective of their session or browser state.
Reflected XSS attacks unfold through the injection of malicious code into input fields of a web application, such as search boxes, forms, or URLs. The injected input is then reflected back to the user, often in the guise of an error message, search results, or page redirection. Upon interaction, such as clicking a link or submitting a form, the malicious code is executed within the victim's browser.
DOM-Based XSS attacks arise when vulnerable code exists within the Document Object Model (DOM) of a web page. The attacker exploits weaknesses in the web application's JavaScript code to manipulate script variables' values and introduce malicious code into the DOM. Upon loading the web page, the victim's browser executes the embedded malicious code.
JavaScript is a high-level, interpreted programming language primarily used for web development. It is an essential technology for creating interactive and dynamic web pages. Here are some key points about JavaScript:
Client-Side Scripting: JavaScript is mainly used as a client-side scripting language, meaning it runs in the user's web browser. It allows developers to add interactivity, manipulate the content of web pages, respond to user actions, and dynamically update the page without reloading.
Cross-platform Compatibility: JavaScript is supported by all modern web browsers, including Google Chrome, Mozilla Firefox, Microsoft Edge, Safari, and others. This makes it a versatile language for creating web applications that work across different platforms and devices.
Dynamic and Weakly Typed: JavaScript is dynamically typed, meaning variable types are determined at runtime rather than compile time. It's also weakly typed, allowing for flexible type conversions. This flexibility can lead to more concise code but also requires careful handling to avoid unexpected behavior.
Event-Driven Programming: JavaScript uses an event-driven programming model, where functions are executed in response to events such as user actions (e.g., clicks, mouse movements, keypresses) or changes in the browser environment (e.g., page load, form submission).
Support for Object-Oriented and Functional Programming: JavaScript supports both object-oriented and functional programming paradigms. It allows for the creation of objects using constructors and prototypes and also provides first-class functions, closures, and higher-order functions for functional programming techniques.