Web Security 101 : Cross-Site Scripting (XSS) Attacks
In this article, I would like to explain how XSS works, This is not a technical article, but I hope it will be useful for you, as it was for me.
How does XSS Work ?
Cross-Site Scripting attacks are a common vulnerability that you can found in web applications. They allow an attacker to inject malicious code that can be exploited in the client side.
From the developer’s perspective, these kinds of vulnerabilities are related to a week or poor validation/sanitization of the input fields; in other words there are not security control in place.
There are three main of types XSS attacks:
Reflected XSS
To execute this type of attack, an attacker will be able to inject malicious payload into request and send it to the victim, the victim must be click on in the URL containing malicious payload.
http://example.com/search?query=<script>alert('Ataque XSS')</script>
When should I test for reflected XSS?
It is a good question, to avoid wasting time searching for it, there are specific cases when testing for reflected XSS will be useful:
- Search field
- Any parameters of the URL
- Referer field in the HTTP Headers,
Stored XSS
For this type of vulnerability, the malicious payload must be stored in a database or similar. When any user, whether authenticated or not, accesses the page that retrieves the malicious code, the attack will be executed.
POST /submit_comment HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: length
comment=<script>alert('XSS');</script>&submit=Submit
When should I test for Store XSS?
As I mentioned, you should focus on this attack if your targets included:
- Blogs, comments sections
- Forms with fields such as title, name, description any field that will be stored in database or similar.
DOM-Based XSS
In DOM-Based attack, an attacker inject malicious JavaScript code into a web application, which is then executed by the browser's DOM (Document Object Model) without the need for sending the malicious code to the server.
This type of attack manipulates the web page’s environment so that the victim’s browser ends up running the malicious script as it interacts with the manipulated DOM.
<!DOCTYPE html>
<html>
<head>
<title>Example of DOM-based XSS</title>
</head>
<body>
<div id="content"></div>
<script>
// This is vulnerable to DOM-based XSS attack
window.onload = function() {
// Get the value of parameter 'name' from the URL
var userName = new URLSearchParams(window.location.search).get('name');
// Inyect directly the value into the element 'content'
document.getElementById('content').innerHTML = 'Welcome, ' + userName + '!';
}
</script>
</body>
</html>
In this code, the script takes a name
parameter from the URL and directly places it into the innerHTML
of the element with the id content
. This is dangerous because any JavaScript included in the name
parameter will be executed when the page loads.
http://example.com/vulnerable_page.html?name=<script>alert('XSS Attack');</script>
Feel free to add any comments in order to share yours thoughts with me and others about XSS attacks. Many thanks!