You have probably heard about this vulnerability a lot, especially in web apps and websites. so let’s explain what is XSS, it’s kinds, and many other information that you need to know about it.
What is XSS ( Cross-Site Scripting )?
XSS is a vulnerability related to websites and web applications where the attacker can inject its own code into the website to run it with the permission of the target’s accessing the site.
For example, the user will visit a site that is vulnerable by XSS and compromised by the attacker where he injected his own malicious code into the source code of the site.
the user would use the website, enter sensitive data such as username , password , credit card ,etc. without knowing about the attacker’s script running in the background collecting all these information and sending it back to the attacker.
You can and will find XSS Vulnerability in many websites online since it’s very common vulnerabilities that developers don’t notice also it’s in OWASP top 10 vulnerabilities every year
What are the types of XSS ?
there are multiple types for XSS vulnerability that a website that be vulnerable to:
- Reflected XSS (Non-persistent)
- Stored XSS (persistent)
- DOM Based XSS
- Mutated XSS
What is Reflected XSS ?
Reflected XSS is when an web application receives the data from the user as HTTP request, you can either have it by GET or POST and then the web application will output the data to the source code of the results without sanitazation which allows the attacker to implement its own code into the website’s page.
For Example, let’s say we have a website that allows you search for something, when you press enter the GET request would be something like this:
let’s assume the web app developer hasn’t implemented input validation not sanitazation and it outputs what you have searched on the website let’s say it has something like this
You have searched for query
now, let’s try to inject our own code into the that
now when the results is loaded, your browser would run the query that you have searched since it’s in a script tag and it’s not sanitized and it would show a popup window
This code is harmless of course, but XSS vulnerability can be very dangerous and your clients would be under threat if it’s fixed properly
What is Stored ?
Stored XSS is when the data is saved on the website’s database and is shown to the users every time they visit the page, the data saved is not sanitized and saved directly to the database so when the website shows that data, your browser will process it as a script and it will run it instead of displaying it.
an example to that a forum, let’s say you open a Reddit thread, usually the thread has many comments that load automatically the moment you open that thread, if Reddit’s developers didn’t sanitize the comments written before saving nor applying HTML escaping before outputting the results, it will cause a huge issue.
let’s take that to practical usage, let’s say we made a comment on Reddit with the same one above
this comment will be saved into the database for that specific thread, then when other users open the thread to read, the browser will automatically execute the code above on every single page visit.
What is DOM Based?
let’s continue and do something similar to the previous examples, let’s say you have an input field where you can search for something, and that code will display the same string that you wanted to search for, so it would be something similar to this
var search = document.getElementById('search').value; output.innerHTML = 'You Have searched for ' + search;
as you can see, we’re outputting the same string that the user has input without any processing or checking if the value is safe, and when write that value back to the DOM, the browser will run that code as script leading to exploiting XSS.
What Is Mutated?
According to wikipedia “Mutated XSS happens when the attacker injects something that is seemingly safe but is rewritten and modified by the browser while parsing the markup. This makes it extremely hard to detect or sanitize within the website’s application logic. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters on parameters to CSS font-family.“
In short, this vulnerability is very rare, and mainly it depends on libraries that you use while writing code and it also depends on how the browser interpret the HTML.
you can read more about it in this paper as it’s kinda complicated and will probably do a different post just for this attack.
This is a simple introduction for the attack, we will continue to this series to discuss more about attacks, how to defend against them and how to evade known techniques to attack