XSS(Cross Site Scripting) : The Known Vulnerability
Hello Everyone, in this blog we are going to learn all about XSS( cross site scripting) attack.This is well known and most comman vulnerability found in web application . In this we cover what is xss , types of xss : Reflected Xss , Stored Xss , DOM-Based Xss , Practical of all types of xss , Payloads to bypass the xss, Prevention from xss attack and much more . Let start…
XSS ( Cross Site Scripting ) is a client side attack and it is a type of an Injection attack . In OWASP top 10 it holds third position (A3) since 2010 and still remain same . Xss is a attack in which attacker inject a malicious script in the input field or in a url of any web page or web application then this type of vulnerability is known as cross site script ( XSS ) . In this attack the scripting language is used is java script which included into the html page with the script tag for eg :- <script> This is java script code </script>. The highest impact of this attack is stealing cookie ( which means the theft of th active session of any web page without any authentication) and Sometime by chaning the vulnerability we get RCE ( Remote Code Execution).
The Flow of XSS Attack :
The flow of xss attack is complete in the following five steps .
Step : I
Attacker make a url which contains malicious script which steal sensitive data of the user who open this link . Send this url to the user through social engineering attack. ( ATTACKER → USER )
Step : II
Attackers social engineering is perfect , user traped into it and open the malicious link , when he open the url it make a request to the webserver to load the url . ( USER → WEB-SERVER )
Step : III
Web server include the malicious script in its response to the user . ( WEB-SERVER → USER )
Step : IV
Now user browser store the malicious script in the response of the webserver as a trusted response and execute it. ( USER’S BROWSER)
Step : V
Whenever browser execute the malacious script of the attacker , sensetive information of the user is sent to the attackers server . ( USER-BROWSER → ATTACKER)
In this way the whole process of the cross site script attack takes place .
Types of Xss Attack :
There are three types of Xss attack
- Reflected Xss
- Stored Xss
- DOM-Based Xss
1. Reflected Xss
→ Introduction :
Reflected xss is one of the simplest attack . Its clear from the name that it reflect something. In reflected xss there is a input section in the web page in which user input something and all the content that user enter is reflects on the web page ( means visible on the web page ) .
In above exapmle I entered my name which is reflected back.
→ Exploiting Reflected Xss :
Following steps are taken to exploit reflected xss
- User login to the application.
- Attacker give a malicious url to the user.
- User requests the malicious url to the web server.
- Server respond with the attackers java script.
- Attackers java script execute’s in user’s browser.
- User browser sends cookies and tokens to the attacker.
- Session of the user is hijacks by the attacker using the cookies and token.
→ Examples and Payloads To Bypass Reflected Xss
We have web page which is vulnerable to reflected xss we use all the condition from low to high level on the same web page .
- Security : low
To bypass this we use following payload , this payload pop a aleart message if it execute successfully.
→ Payload : <script>alert(“HACKED”)</script>
Inject a script to bypass xss .
Script successfully inject and Bypass the xss.
- Security : Medium
→ Payload : <Script>alert(“Hacked Medium Level”)</Script>
Sussessfully Bypass Medium Level By using the above payload.
In the code of this medium level <script> this tage is blocked and we simply use the uppercase S ( you can change any letter ) in script tag to bypass this security.
- Security : High
→ Payload : <img src=x onerror=alert(“HACKED”)>
In this script tag is blocked in both cases thats why we use image tag to bypass this security.
2. Stored Xss
Stored Xss is most dangerous vulnerability . In stored xss web page stores the the data into the database for the later use without any validation and input sanitization which leads to store the malicious script into the database which is inserted by the Attacker. By this vulnerability all the user are affected who access to that stored data which was inserted by the attacker as a result attacker successfull in its intensions and hijack the sessions of all the users who access that data.
This is an example of stored xss which stores the messages from DVWA.
→ Exploiting Stored Xss :
Following steps are taken to exploit reflected xss
- Attacker Post or Submit malicious script to the application
- User login to the application.
- User view the attacker’s post or comments.
- Server respond with the attackers java script.
- Attackers java script execute’s in user’s browser.
- User browser sends cookies and tokens to the attacker.
- Session of the user is hijacks by the attacker using the cookies and token.
→ Examples and Payloads To Bypass Stored Xss
We have web page from DVWA which is vulnerable to stored xss we use all the condition from low to high level on the same web page .
- Security : Low
Insert payload in message section.
→Payload :- <script>alert(“HACKED”)</script>
Successfully bypass , all the time when user visite to this site it will pop up the alert window.
- Security : Medium
In medium level we have to inseart payload in name section but in the code the max value of name is only 10 so we have to edit the code from the inspect element section and change it to 100 .
Insert payload in Name section .
→Payload : <script>alert(“HACKED”)</script>
Successfully bypassed when we extend the length of name section.
- Security : High
In this also we have to inseart payload on name section , so again we have to increase the length of the name section .
→ Payload :
<svg/onload=alert("HACKED")>
3. DOM-Based Xss
we will discuss dom-based xss in the second part of the xss blog in detail.
Prevention methods from xss
- Never Insert Untrusted Data Except in Allowed Locations.
- HTML Encode Before Inserting Untrusted Data into HTML Element Content.
- Attribute Encode Before Inserting Untrusted Data into HTML Common Attributes.
- JavaScript Encode Before Inserting Untrusted Data into JavaScript Data Values.
- URL Encode Before Inserting Untrusted Data into HTML URL Parameter Values.
- Sanitize HTML Markup with a Library Designed for the Job.
- Avoid JavaScript URLs.
- Use HTTPOnly cookie flag.
- Implement Content Security Policy.
- Properly use modern JS frameworks.
Thank You for reading this blog.
If you have any Doubt regarding this then feel free to contact with me
You can follow me on linkedin and twitter