CROSS-SITE SCRIPTING (XSS)

XSS vulnerabilities take advantage of a flaw in user input sanitization to "write" JavaScript code to the page and execute it on the client side. XSS vulnerabilities allows an attacker to execute arbitrary JavaScript code within the target's browser, leading to various types of attacks, including compromising web admins and their web applications. it only affects end-users without having a direct ability to execute code on the back-end server; however, once the user views the XSS injected page, they unknowingly execute the malicious JavaScript code.

XSS vulnerabilities are solely executed on the client-side and hence do not directly affect the back-end server. They can only affect the user executing the vulnerability. The direct impact of XSS vulnerabilities on the back-end server may be relatively low, but they are very commonly found in web applications, so this equates to a medium risk (low impact + high probability = medium risk).

As XSS attacks execute JavaScript code within the browser, they are limited to the browser's JS engine (i.e., V8 in Chrome). They cannot execute system-wide JavaScript code to do something like system-level code execution. In modern browsers, they are also limited to the same domain of the vulnerable website. However, An XSS vulnerability can result in complete web application compromise if chained together with other vulnerabilities.

XSS TYPES

• Stored (Persistent) XSS

  • this is the most critical type of XSS vulnerability due to the XSS payload being stored in the back-end database and retrieved/displayed upon visiting the page (e.g., posts or comments). this is considered persistent and may affect any user that visits the page. Stored XSS may not be easily removable, as the payload may need removing from the back-end database.

• Reflected (Non-Persistent) XSS

  • this occurs when user input is displayed on the page after being processed by the backend server, but without being stored (e.g., search result or error message). this temporary and are not persistent through page refreshes. this only affect the targeted user and will not affect other users who visit the page.

  • this occurs when input reaches the back-end server and gets returned to the client without being filtered or sanitized

  • targeting victims via reflected XSS depends on which HTTP request is used to send input to the server. for GET requests, a url containing the XSS payload must be send to the victim

    • https://

• DOM-based (Non-Persistent) XSS

  • DOM XSS occurs when JavaScript is used to change the page source through the Document Object Model (DOM). in this type, user input is directly shown in the browser and is completely processed on the client-side, without reaching the back-end server (e.g., through client-side HTTP parameters or anchor tags). this type of XSS is temporary and not persistent through page refreshes. additionally, it only affect the targeted user and will not affect other users who visit the page.

  • In DOM-based XSS, Sink functions (function that writes the user input to a DOM Object on the page) that doesn't properly sanitize user input can lead to an XSS attack.

  • commonly used JavaScript functions that can write to DOM objects are:

    • document.write()

    • DOM.innerHTML

      • the innerHTML function does not allow the use of the <script> tags within it as a security feature. must use "<img src="" onerror=alert(window.origin)>" IOT exploit the DOM-based XSS

    • DOM.outerHTML

  • jQuery library functions that write to DOM objects are:

    • add()

    • after()

    • append()

XSS ATTACKS

• Session Hijacking: Stealing cookies or session tokens to impersonate the victim.

• Credential Theft: Capturing usernames and passwords by creating fake login forms.

• Defacement: Injecting scripts to alter the appearance of a webpage.

• Keylogging: Injecting scripts to capture keystrokes entered by the victim.

• Phishing: Redirecting users to a malicious site to capture their credentials

XSS PREVENTION