CYBER SECURITY

LAB 05: Cross-Site Scripting (XSS)

What Can XSS Be Used For?

Javascript

Reflected XSS

Stored XSS

DOM-Based XSS

Impact of XSS Vulnerabilities

Preventing XSS Vulnerabilities

Hands-On 1, 2, 3
Cross-Site
Scripting
(XSS)
Cross-Site Scripting (XSS)
● Cross-Site scripting (XSS) is a client-side web vulnerability that
allows tackers to inject malicious scripts into web pages.
● This vulnerability is typically caused by a lack of input
sanitization/validation in web applications.
● Attackers leverage XSS vulnerabilities to inject malicious code into
web applications. Because XSS is a client-side vulnerability, these
scripts are executed by the victim's browser.
● XSS vulnerabilities affect web applications that lack input validation
and leverage client-side scripting languages like Javascript, Flash,
CSS etc.
Types of XSS
● XSS vulnerabilities/attacks are typically sorted into three main
categories: stored/persistent, reflected and DOM-based.
o Reflected XSS arises when the application directly reflects client-supplied
input in the response of the request in an unsafe way.
o Stored XSS arises when the application stores client supplied input in an
unsafe way and includes the input in later responses.
o DOM-based XSS arises when JavaScript takes data from client-supplied
input, and passes it to a sink that supports dynamic code execution in
the DOM.
What Can XSS Be Used For?
● XSS attacks are typically exploited for the following objectives:
o Cookie stealing/Session hijacking - Stealing cookies from users with
authenticated sessions, allowing you to login as other users by
leveraging the authentication information contained within a cookie.
o Browser exploitation - Exploitation of browser vulnerabilities.
o Keylogging - Logging keyboard entries made by other users on a web
application.
o Phishing - Injecting fake login forms into a webpage to capture
credentials
.… and many more.
Javascript
● Javascript is a high-level client side scripting language that is commonly
used to develop dynamic and interactive web pages and web
applications.
● Why use Javascript? It can be used to add user interactivity to web
pages in the form of animations, form validation etc.
● Javascript is executed by web browsers and can interact with the
Document Object Model (DOM) to manipulate web page content as well
as server-side resources to request data and perform other tasks.
● While the notion of executing Javascript in your browser may seem
dangerous, browsers execute Javascript in a low privileged browser
sandbox in user space.
● It is also important to note that Javascript is case sensitive and browsers
will execute JS code sequentially as it encounters it. That means that
when included as part of a webpage it will be executed based on it’s
relative position within the code.
Introductio
n to
Reflected
XSS
Reflected XSS
● Reflected/non-persistent cross-site scripting is the most common
form of XSS and involves tricking a victim into clicking a specially
crafted link (with an XSS payload) to the vulnerable website.
● When the victim clicks on the link the website includes the XSS
payload as part of the response back to the victim’s browser, where
the payload is executed.
Reflected XSS
XSS - Reflected (GET)
● Step 1: Give your choice inputs in the FirstName and LastName text field and check the
url.
● Step 2: Give the below input in the FirstName and LastName text fields:
<script> alert(document.cookie) </script>
<script> alert(“XSS") </script>
● Step 3: Click on Go and check the results.
Introductio
n to
Stored XSS
Stored XSS
● Stored/persistent cross-site scripting is a vulnerability where an
attacker is able to inject Javascript code into a web application’s
database or source code via an input that is not sanitized.
● For example, if an attacker is able to inject a malicious XSS payload
in to a webpage on a website without proper sanitization, the XSS
payload injected in to the webpage will be executed by the browser
of anyone that visits that webpage.
Stored XSS
XSS - Stored (Blog)
● Step 1: Give input of your choice, ensure the add check box is selected and
click on submit. You will notice your entry has been added.
● Step 2: Use below payloads to test the lesson:
<script> alert(“XSS");document.write(document.cookie) </script>
● Step 3: Note the output - The earlier script added output and the current
script output was displayed.
● Step 4: Now select the check box show all and click on submit and note the
output.
● Step 5: When the Add and Delete both check boxes are selected and Submit
button is clicked, the output is displayed but entries are not deleted.
Introductio
n to DOM-
Based XSS
DOM-Based XSS
● DOM-Based XSS/type-0 XSS is a type of XSS vulnerability that allows
an attacker to inject malicious payloads into a webpage by
exploiting a weakness in the DOM of the web application.
● A DOM-Based XSS attack involves exploiting a script on the
webpage that takes user input and reflects it back to the page
without proper sanitization, the attacker then injects malicious
code/payloads into the webpage’s DOM by modifying the values of
the script’s variables.
Document Object Model (DOM)
● The DOM is a programming interface for HTML and XML files.
● It represents the web page as a hierarchical tree-like structure,
where each node corresponds to an element, attribute or text in the
webpage.
● The DOM is used by developers to dynamically change the content
and behavior of a web page in response to user interaction. For
example:
o Add or remove elements and attributes from the page.
o Change the content of existing elements like text or images.
o Modify the styling and layout of elements on the page.
o Respond to user interaction such as clicks or keyboard input.
Document Object Model (DOM)
Stored vs Reflected vs DOM-
Based
● Reflected XSS attacks are carried out by injecting malicious code into a web
application's input fields, such as search boxes, forms, or URLs. The input is
then reflected back to the user in the form of an error message, search
results, or a page redirect. When the victim clicks on the link or submits the
form, the malicious code is executed in their browser.
● Stored XSS attacks occur when the attacker injects malicious code into a
web application's database or other storage mechanism, such as a
comment section or user profile field. The malicious code is then served to
all users who view the affected page, regardless of their session or browser.
● DOM-Based XSS attacks occur when the vulnerable code is present in the
Document Object Model (DOM) of the web page. The attacker exploits a
weakness in the web application's JavaScript code to modify the values of
the script's variables and inject malicious code into the DOM. When the
victim loads the web page, the malicious code is executed in their browser.
Impact of XSS Vulnerabilities
● Depends on the XSS vulnerability and attacker goal.
o Confidentiality – can be None / Partial (Low) / High
o Integrity – can be None / Partial (Low) / High
o Availability – can be None / Partial (Low) / High
● Usually chained with other vulnerabilities to achieve maximum
impact such as full account takeover and even remote code
execution.
Preventing XSS Vulnerabilities
● Encode any user-controllable data on output. Depending on the output context,
this might require applying combinations of HTML, URL, JavaScript, and CSS encoding.
DO NOT implement your own encoding library. Instead, use an existing well-known
secure library.
● Filter input on arrival. Only accept input based on what is expected or valid.
● Example: Age field should only contain numbers.
● Use appropriate response headers. To prevent XSS in HTTP responses that aren’t
intended to contain any HTML or JavaScript, you can use the Content-Type and X-
Content-Type-Options headers to ensure that browsers interpret the responses in the
way you intend.
● Use Content Security Policy (CSP) to help detect and mitigate cross-site scripting
attacks.
Live Lab: DOM XSS in document.write
sink using source location.search
Live Lab: DOM XSS in document.write
sink using source location.search
1. Enter a random alphanumeric string into the search box.
2. Right-click and inspect the element, and observe that your random string has been placed
inside
an img src attribute.
3. Break out of the img attribute by searching for:
"><svg onload=alert(1)>
Hands-On
● The aim for each level will be to execute the JavaScript alert function
(t.ly/xss)
with the string THM, for example:
<script>alert('THM');</script>
Live Lab (Bonus): Google XSS Game
(t.ly/xss-game)
QUESTIONS?
THANK YOU