=

Cross-site Scripting (XSS) - Detailed

Table of Contents

    1. Introduction

    Cross-site scripting is a client side injection vulnerability, which allows an attacker to inject their own malicious js code in web application code then execute those scripts in the browser of other users.

    2. Types of Cross-site Scripting

    Nowadays a xss can be classified into 4 types :

    2.1 Reflected XSS (Non-Persistent)

    In this type of XSS, the xss payload got injected inside the request and server reflect that payload back in response. Payload doesn't get stored anywhere only get reflected back by the server in response.

    Example workflow

    • There is a search functionality which takes input from user and response back with the result, having a heading like "search result for 'user_input'"

      Request url https://example.com/search?query=cat

      Response body <h3>Search results for Cat</h3>

    • After using xss payload <script>alert('XSS')</script> as search input, it would be like

      Request url https://example.com/search?query=<script>alert('XSS')</script>

      Response body <h3>Search results for <script>alert('XSS')</script></h3>

    • When reflected response with our injected js reached to the browser, browser treat it like a script tag and our js would be executed.

    2.2 Stored XSS (Persistent)

    In this type of XSS, the XSS payload get injected to such a place which is stored by the backend for further uses. For example : comments. Payload get stored inside the database/backend and distributed & executed on the each users browser who render that comment.
    It is more dangerous because a single stored payload can be executed on multiple users, everyone who receive that injected response.

    Example workflow

    • There is a comment functionality in the blogpost. Where a user can do comments and anyone who opens that blogpost can see the comment.
    • An attacker, instead of writing simple comment, he wrote a xss payload like : <script>alert('XSS')</script> inside the comment. Backend stores that comment as user provides along with the blogpost.
    • Now every time when someone requests for that blogpost he will get the payload inside the comment along with the response of blogpost

    2.3 DOM based XSS

    Dom based XSS totally works on client side environment, where the DOM (assume dom as webpage) processes the user input and updates the dom. All the processing/updating works happens on client browser, there is no need of any interaction with backend.

    While dealing with dom based xss you will encounter with 2 word "Source" and "Sink". Lets understand these.

    • Source : The place where payload injected. In below example source would be the url parameter.
    • Sink : Sink is the actual place who execute the payload. In below example sink is .innerHTML

    Example workflow

    • There is a section who shows the current section by extracting the value after # from the url. It extract the value and update the element with that value.
      DOM XSS html
      <div id="output"></div>
      <script>
        // takes whatever is after the # in the URL and writes it into the page
        const output = document.getElementById('output');
        output.innerHTML = location.hash.substring(1); // <-- vulnerable
      </script>
      
    • An attacker can easily replace the values after # in the url with the payload <script>alert('XSS')</script>, and tricks you to open the url.
    • The moment when you will open the url in your browser, the payload will be executed, because the payload is directly inserted in the code.

    2.4 Blind XSS

    Blind XSS is a type of xss which works similar to the stored but it doesn't send any response with the inserted payload. In Blind XSS, xss payload get stored on backend/database and can only be seen by the users having access, and when they loads that data into their browser, payload get executed. Let understand it by example :

    Example workflow

    • There is a webpage having a feedback form init. Where any user can submit the feedback and only the admin user can see the feedbacks.
    • Attacker injected their payload inside the form and submitted. When the admin user open the feedback section to see all the feedback form, after that when the feedback submitted by the attacker get loaded then payload would be executed on the browser of admin user.

    3. Find Context

    Context is the actual place where the input (payload) ends up. For example it can be :

    HTML Context <p>Hello, USER_INPUT</p>

    HTML Attribute Context <img src="USER_INPUT">

    JavaScript Context <script>var name = "USER_INPUT";</script>

    Lets find the context :
    • First fill your payload in every possible places, like: input boxes, url parameters, etc.
    • Press enter or submit the form so that payload get inserted on it's given place.
    • Right click and click on inspect element or just press f12
    • You will see the elements. Now press ctrl + f, a search functionality will appear. Enter some parts of your payload and search it.
    • Now you will get the context by matching results. It can be multiple.
    Always use edit as html on the context to get the exact context because in element section of webpage some browser doesn't show the encoded value.

    3.1 Context vs Sink

    Context is the last place where payload ends. And Sink is the actual functionality who execute the payload. In below example javascript string is context and the eval() is the sink

    Context/sink html
    <script>
      var userInput = "USER_INPUT";  // context: inside JS string
      eval(userInput);               // sink: eval executes JS code
    </script>
    

    4. Methodology

    Now we have to learn the steps which are generally used to exploit xss. You can use following steps to reduce your time and efforts

    • Reconnaissance Identify pages that accept user input (forms, search, comments, profile, URL parameters, headers, file uploads, hash/fragment)
    • Input Mapping Check all input points of each pages. Use some sample data to find the reflection point (context)
    • Basic Injection Checks Use basic payloads to check that how it process the input.
    • Payload Crafting Based on above information, create a payload that bypasses the checks and other things.
    • Ethical Create a proof of concept and submit it to officials. Don't use harmful payloads.

    5. Mitigation

    To prevent your website from xss, you have to implement some security measurements which are following :

    • Encode/escape output according to the context (html encode, js-encode, css-encode, attribute encode etc)
    • Use correct input validation and use whitelists, avoid blacklists
    • Implement content security policy with proper restrictions.
    • Use templating that your framework provides.
    • Do not insert untrusted data directly into webpage.

    Frequently Asked Questions

    What is Cross-site Scripting (XSS)?

    Cross-site scripting is a client-side injection vulnerability that allows an attacker to inject their own malicious JavaScript code into a web application, which can then be executed in the browser of other users.

    What are the different types of XSS attacks?

    The four main types of XSS attacks are: 1) Reflected XSS (Non-Persistent), 2) Stored XSS (Persistent), 3) DOM-based XSS, and 4) Blind XSS.

    How can you find the context of an XSS vulnerability?

    The context refers to the actual place where the user input (payload) ends up, such as HTML, HTML attributes, or JavaScript. Identifying the context is important to determine the appropriate mitigation techniques.

    What is the difference between Reflected XSS and Stored XSS?

    Reflected XSS occurs when the payload is injected into the request and reflected back in the response, while Stored XSS happens when the payload is stored on the server and executed on the client-side when the data is retrieved.

    How does DOM-based XSS work?

    DOM-based XSS is a client-side vulnerability where the user input is processed and used to update the Document Object Model (DOM) without proper sanitization, allowing the injection of malicious scripts.

    What is Blind XSS and how is it different from other XSS types?

    Blind XSS is similar to Stored XSS, but the payload is not immediately visible in the response. Instead, the payload is stored on the server and executed when an authorized user accesses the affected page.

    Why is identifying the context important in XSS vulnerabilities?

    Identifying the context, such as HTML, HTML attributes, or JavaScript, is crucial because it determines the appropriate mitigation techniques and the type of encoding or sanitization required to prevent the XSS attack.

    What are the key steps in the methodology for exploiting an XSS vulnerability?

    The typical methodology for exploiting an XSS vulnerability involves: 1) Identifying the input field, 2) Crafting the payload, 3) Testing the payload, and 4) Refining the payload if necessary to bypass any security measures.

    What are the steps to exploit an XSS vulnerability?

    The methodology for exploiting an XSS vulnerability typically involves the following steps: 1) Identify the input field, 2) Craft the payload, 3) Test the payload, and 4) Refine the payload if necessary.

    How can you mitigate XSS vulnerabilities?

    To prevent XSS vulnerabilities, you should implement security measures such as input validation, output encoding, and the use of a Content Security Policy (CSP).

    (If you have any type of query / Question / suggestion .. feel free to ask below. We would be happy to connect you. Have a great day buddy!!)