| description |
|---|
In this chapter, we are going to learn about Cross-Site Scripting (XSS). |
{% tabs %} {% tab title="Type of vulnerability" %} Client-side {% endtab %}
{% tab title="Chances to find" %} Very high; XSS is still ranked #7 in the “OWASP Top-10 Vulnerabilities“ {% endtab %}
{% tab title="TL;DR" %} An XSS vulnerability allows an attacker to execute Javascript code in the browser of a victim. This enables an adversary to fully compromise the victim’s account by e.g. performing any action on the website that the user could perform as well. {% endtab %} {% endtabs %}
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. (src: OWASP)
Before we are diving deeper into the variations of XSS, let’s have a quick look at an example, how an XSS exploit looks like: (SAMPLE VIDEO)
{% embed url="https://www.youtube.com/watch?v=vP7tBopQSEc" %}
Reflected XSS occurs if user input is sent to the server within an HTTP request, which is then immediately printed out on the website in an insecure fashion.
A classic example would be a URL, which contains a parameter that can be altered by a user, where the input is mirrored and made visible.
{% code title="https://example.com/?user=Intigriti" %}
<span id="user">
<b>Hi Intigriti</b>
</span>
{% endcode %}
If the underlying code responsible for creating the server response is not performing any type of sanitisation and if the output is not properly encoded, an attacker could try to send a malicious request.
{% code title="https://example.com/?user=%3Cscript%3Ealert\(document.domain\)%3C/script%3E" %}
<span id="user">
<b>Hi <script>alert(document.domain)</script></b>
</span>
{% endcode %}
If an attacker would craft such a malicious example and send it to his victim, the victim would see an alert box popping up displaying the website’s domain. The attacker would need an additional trick to make the victim click on the URL (such as a phishing email).
- https://medium.com/@jonathanbouman/reflected-xss-at-philips-com-e48bf8f9cd3c (by Jonathan Bauman)
- https://medium.com/@efkan162/how-i-xssed-uber-and-bypassed-csp-9ae52404f4c5 (by Efkan)
- https://buer.haus/2015/01/21/admin-google-com-reflected-cross-site-scripting-xss/ (by Brett Buerhaus)
- https://medium.com/a-bugz-life/from-reflected-xss-to-account-takeover-showing-xss-impact-9bc6dd35d4e6 (by Abugzlife)