Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS) is a type of security vulnerability commonly found in web applications. It occurs when an attacker is able to inject malicious scripts into web pages viewed by other users. These scripts can then execute in the browsers of those users, potentially allowing the attacker to steal information, take control of user sessions, or perform other malicious actions. XSS attacks can be prevented by properly validating and sanitizing user input on websites.

The most common

Types of XSS

There are three main types of XSS vulnerabilities:

Type

Description

Stored (Persistent) XSS

The most critical type of XSS, which occurs when user input is stored on the back-end database and then displayed upon retrieval (e.g., posts or comments)

Reflected (Non-Persistent) XSS

Occurs when user input is displayed on the page after being processed by the backend server, but without being stored (e.g., search result or error message)

DOM-based XSS

Another Non-Persistent XSS type that occurs when user input is directly shown in the browser and is completely processed on the client-side, without reaching the back-end server (e.g., through client-side HTTP parameters or anchor tags)

XSS Testing Payloads

To test whether an applications is vulnerable to a XSS attack, we can use the following payloads:

<script>alert(window.origin)</script>

<script>alert(document.domain)</script>

This will tell us where the code is being run. For example a very popular event is just using alert(1),it's simple and very visual, but it doesn't actually tell us where the script is being executed.

XSS cheat sheets:

Payload all the things

PortSwigger XSS cheat sheet

DOM XSS

DOM-based Cross-Site Scripting (XSS) is a type of web vulnerability where the attack payload is executed as a result of modifying the Document Object Model (DOM) in a web page. Unlike other types of XSS attacks that involve server-side scripts, DOM XSS is completely processed on the client-side through JavaScript. This vulnerability arises when client-side scripts dynamically update the DOM based on user input without proper validation, allowing an attacker to inject malicious scripts that are then executed in the context of the victim's browser.

Source & Sink

In the context of DOM-based Cross-Site Scripting (XSS), a source is where user-controllable data enters the application, and a sink is where this data is used in a potentially unsafe way, leading to a security vulnerability.

Sources in DOM-based XSS include locations where user input or untrusted data is reflected in the DOM, such as URL parameters, document.location, document.referrer, document.cookie, etc.

Sinks are places in the application where the data from sources is used in a way that can be exploited by an attacker to execute malicious scripts. Sinks can include functions like eval(), innerHTML, document.write(), etc.

To prevent DOM-based XSS attacks, it's important to properly sanitize and validate user input before it is used in sinks to ensure that it does not contain malicious scripts.

XSS Discovery

We can use automated the discovery process with open-stools like XSS Strike:

git clone https://github.com/s0md3v/XSStrike.git
cd XSStrike
pip install -r requirements.txt
python xsstrike.py

And then we just run the tool:

python xsstrike.py -u "http://www.example.com:PORT/index.php?menu=test"

PreviousCode Analysis NextXSS Attacks

Last updated 1 year ago