Cross-site scripting also known as XSS is a vulnerability found usually in Web Applications. This vulnerability allows an attacker to upload and execute malicious code on a victim’s machine. It is a very high severity level attack. Developers don’t be ignorant, sharpen your craft!!
Photo by Ante Hamersmit on Unsplash
JavaScript is dangerous because it lets you do anything on a webpage.
Here is a report by VICE on the famous SAMY KAMKAR:
[The MySpace Worm that Changed the Internet Forever
Illustration: Shaye Anderson Ten years ago, a few lines of code gave a hacker one million friends, and a visit from the…vice.com](https://www.vice.com/en/article/wnjwb4/the-myspace-worm-that-changed-the-internet-forever "vice.com/en/article/wnjwb4/the-myspace-worm..")
In short, XSS vulnerabilities occur when input coming into web applications is not validated and/or output to the browser is not properly escaped before being displayed. XSS vulnerabilities may occur if:
- Input coming into web applications is not validated
- Output to the browser is not HTML encoded
XSS is possible in Javascript, VBScript, Flash and CSS. There are three main types of cross-site scripting:
- Stored XSS — the most dangerous type of XSS. This is where a malicious string originates from the website’s database. This often happens when a website allows user input that is not sanitised (remove the “bad parts” of a users input) when inserted into the database.
Occurs when untrusted or unverified user input is stored on a target server. Common targets for persistent XSS include message forums, comment fields, or visitor logs — any feature where other users, either authenticated or non-authenticated, will view the attacker’s malicious content. Publicly visible profile pages, like those common on social media sites and membership groups, are one good example of a desirable target for persistent XSS. The attacker may enter malicious scripts in the profile boxes, and when other users visit the profile, their browser will execute the code automatically.
Stored XSS
- Reflected XSS/Non-persistent XSS — the malicious payload is part of the victims request to the website. The website includes this payload in response back to the user. To summarise, an attacker needs to trick a victim into clicking a URL to execute their malicious payload.To exploit a reflective XSS, an attacker must trick the user into sending data to the target site, which is often done by tricking the user into clicking a maliciously crafted link. In many cases, reflective XSS attacks rely on phishing emails or shortened or otherwise obscured URLs sent to the targeted user. When the victim visits the link, the script automatically executes in their browser. Search results and error message pages are two common targets for reflected XSS.
Reflected XSS
- DOM-Based XSS — DOM stands for Document Object Model and is a programming interface for HTML and XML documents. It represents the page so that programs can change the document structure, style and content. A web page is a document and this document can be either displayed in the browser window or as the HTML source. Also called client-side XSS, has some similarity to reflected XSS as it is often delivered through a malicious URL that contains a damaging script. However, rather than including the payload in the HTTP response of a trusted site, the attack is executed entirely in the browser by modifying the DOM. This targets the failure of legitimate JavaScript already on the page to properly sanitize user input.
XSS Payloads
Remember, cross-site scripting is a vulnerability that can be exploited to execute malicious Javascript on a victim’s machine. Check out some common payloads types used:
- Popup’s () — Creates a Hello World message popup on a users browser.
- Writing HTML (document.write) — Override the website’s HTML to add your own (essentially defacing the entire page).
- XSS Keylogger
http://www.xss-payloads.com/payloads/scripts/simplekeylogger.js.html — You can log all keystrokes of a user, capturing their password and other sensitive information they type into the webpage.
- Port scanning
http://www.xss-payloads.com/payloads/scripts/portscanapi.js.html — A mini local port scanner
XSS-Payloads.com http://www.xss-payloads.com/ is a website that has XSS related Payloads, Tools, Documentation and more. You can download XSS payloads that take snapshots from a webcam or even get a more capable port and network scanner.
Impact of Cross-Site Scripting
When attackers succeed in exploiting XSS vulnerabilities, they can gain access to account credentials. They can also spread web worms or access the user’s computer and view the user’s browser history or control the browser remotely. After gaining control to the victim’s system, attackers can also analyze and use other intranet applications.
By exploiting XSS vulnerabilities, an attacker can perform malicious actions, such as:
- Hijack an account.
- Spread web worms.
- Access browser history and clipboard contents.
- Control the browser remotely.
- Scan and exploit intranet appliances and applications.