Intro to Cross Site Scripting (XSS)
Learn fundamentals of XSS or "Cross Site Scripting".
Prerequisites:
Basics of JavaScript as XSS is based on JavaScript, it would be helpful to have a basic understanding of the language. However, none of the code in this post is very overly complicated also a basic understanding of Client-Server requests and responses.
What is XSS ?
Cross-Site Scripting, or also known as "XSS" in the cybersecurity community is classified as an injection attack where malicious JavaScript gets injected into a web application with the intention of being executed by other users. in this post you will learn about different types of XSS, how to create XSS payloads , how to modify our payloads to evade filters .
What is a payload ?
Its the JavaScript that we wish to be executed on the targets computer , payload is divided into two sections , "INTENTION" and "MODIFICATION"
INTENTION is what we actually want the JavaScript code to do (example below).
MODIFICATION is the changes that we have to make to make the code run as every scenario is different. (more on this later)
Here are some of the XSS INTENTIONS:-
Proof Of Concept (PoC) :-
Above is one of the simplest payloads where we demonstrate that we can achieve XSS on a website,
this code causes an alert box to pop up on the page with a string of text "you have been pwned!".
Session Stealing :-
login details of a user such as login tokens, usernames, passwords, are saved in form of cookies on the targets computer the above JavaScript code takes the target's cookies and base 64 encodes them to ensure successful transmission and then posts it to a website under the attacker's control to be logged. once the attacker has these cookies, they can take over the target's session and be logged as that user.
Key Logger :-
The below code acts as a key logger. This means anything you type on the webpage will be forwarded to a website under the hacker's control. This could be very damaging if the website the payload was installed on accepted user logins or credit card details.
Business Logic:
This payload is a lot more specific than the above examples. This would be about calling a particular network resource or a JavaScript function. For example, imagine a JavaScript function for changing the user's email address called
user.changeEmail(). Your payload could look like this:Now that the email address for the account has changed, the attacker may perform a reset password attack.
Types of XSS
Reflected XSS
Reflected XSS happens when user-supplied input/data in an HTTP request is included in the webpage source without any validation.
Example Scenario: A website where if you enter incorrect input, an error message is displayed. The content of the error message gets taken from the error parameter in the query string and is built directly into the page source.
The application doesn't check the contents of the error parameter, which allows the attacker to insert malicious code.
The vulnerability can be used as per the scenario in the image below:
Potential Impact: The attacker could send links or embed them into an iframe on another website containing a JavaScript payload to potential victims getting them to execute code on their browser, potentially revealing session or customer information.
How to test for Reflected XSS:
You'll need to test every possible point of entry; these include:
Parameters in the URL Query String
URL File Path
Sometimes HTTP Headers (although unlikely exploitable in practice)
Once you've found some data which is being reflected in the web application, you'll then need to confirm that you can successfully run your JavaScript payload; your payload will be dependent on where in the application your code is reflected
Last updated