Cross-Site Scripting (XSS)
XSS vulnerabilities are executed solely on the client side and, therefore, do not directly affect the back-end server. There are three main types of XSS:
Stored (Persistent) XSS: This occurs when the input is stored in the backend (e.g., in a database). It is considered the most critical type, as seen in comments and posts.
Reflected (Non-Persistent) XSS: This occurs when the input is reflected but not saved to the backend, such as in a search query.
DOM-based XSS: This is another non-persistent type where input is processed on the client side through JavaScript and never reaches the backend.
There are many automated tools to identify XSS vulnerabilities, such as XSS Strike, Brute XSS, and XSSer.
XSS can be injected into any input in an HTML page; this is not limited to HTML input fields but may also include HTTP headers like the Cookie or User-Agent when their values are displayed on the page.
XSS Attacks
Defacing
Defacing a website means changing its appearance for anyone who visits the website. Stored XSS vulnerabilities are commonly used for this purpose.
Defacing Elements:
Background Color
document.body.style.background
Background
document.body.background
Page Title
document.title
Page Text
DOM.innerHTML
Phishing
To perform an XSS phishing attack, inject HTML code that displays a login form on the targeted page. This form should send the login information to a server where you are listening.
Example
To write HTML code to the vulnerable page, use the JavaScript function document.write(). Then, remove other elements from the page using document.getElementById().remove(). The final payload to be added to the URL might look like this:
After sending the URL with the payload to your target, open a web server on your machine to capture the credentials using:
sudo nc -lvnp 80
Netcat is basic and does not redirect the user, which might raise suspicion. A better approach is to use a simple PHP server to redirect the user after logging in.
Example PHP code:
Then run the server:
Session Hijacking
Session hijacking can be carried out using a Blind XSS. A Blind XSS vulnerability occurs when the vulnerability is triggered on a page we don't have access to.
For example, consider a registration form used by users where they don't see the response but are informed that the data will be validated by the admin. In this case, we can't test for XSS in the same way as DOM-based XSS, making detection harder.
To identify which input field is vulnerable, we use different scripts for different fields:
If we receive a request, it indicates that the corresponding field is vulnerable. For example, a request for the username suggests the username field is vulnerable.
In HTML, JavaScript code can be written within tags, or we can include a remote script by providing its URL:
After identifying the vulnerable input field, use a payload to capture the cookie. Example payloads:
After choosing a payload, we add it to our script.js file, and based on this specific payload, we need to include code in the index.php file. Example index.php code:
The final payload will be:
Securing Against Command Injection
As with other injection attacks, protect against XSS by using both input validation and sanitization on the front-end and back-end.
Beyond input validation and sanitization, ensure that user input is never used directly within certain HTML tags, such as JavaScript code, CSS style code, or HTML comments. Additionally, avoid using JavaScript functions that allow changing raw HTML, like
DOM.innerHTML
anddocument.write()
.Another important step is output encoding on the back-end. Encode any special characters into their HTML codes, which is especially useful when displaying user input without introducing an XSS vulnerability.
Finally, harden the back-end server by using HTTPS across the entire domain, implementing XSS prevention headers, and setting the HttpOnly and Secure cookie flags.
Last updated