Cross Site Scripting (XSS)
What is XSS(Cross Site Scripting)
XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users.
Attackers can use these background requests to add unwanted spam content to a web page without refreshing it, gather analytics about the client’s browser, or perform actions asynchronously.
How Do Cross-Site Scripting Attacks Work?
When attackers inject their code into a web page, they can then inject their own script, which is executed by the victim’s browser.
Another popular use of cross-site scripting attacks is when the vulnerability is available on most publicly available pages of a website.
In this case, attackers can inject their code to target the visitors of the website by adding their own ads, phishing prompts, or other malicious content.
Types of XSS attacks
In this type of XSS, the malicious script is reflected from the server back to the client. Hence, it is called reflected XSS. It is reflected back in such a way that the HTTP response includes the payload from the HTTP request.
And also Other users cant access it.
Eg: when an attacker`s payload which is sent from a website’s search or contact form and gets executed.
The term stored indicates that the payload is stored somewhere. In stored XSS, the payload is stored on the server side. Once the payload is present within the application, provided it wasn’t properly escaped then execution of payload leads to Stored xss
Any body can Access it because has its being stored in some DB
When the The objects inside the payloads gets executed (DOM- Document object Model) eg: document.location,url,cookies etc
When an application uses a DOM to store data, the data remains only on the client side and the browser reads and displays the output.
Blind cross-site scripting attacks occur when an attacker can’t see the result of an attack. The vulnerability commonly lies on a page where only authorized users can access.
Attacker will not come to know if the payload fails, the attacker won’t be notified.
Eg: when a Address input field is vulnerable to XSS, but only from an administrative page restricted to admin users.
mXSS may usually occurs in innerHTML and happens due to incorrect reads of innerHTML. The mXSS is an XSS vector that is mutated from safe state to unsafe unfiltered state.
Server- and client-side XSS filters share the assumption that their HTML output and the browser-rendered HTML content are mostly identical.
The user provided content is mutated by the browser, such that a harmless string passes nearly all XSS filters is ultimately transformed into active XSS attack vector by the browser.
If attackers prepares a payloads as per the filtering mechanism enabled and then executes it.
Self Cross-Site Scripting:
Self Cross site scripting(XSS) is a vulnerability in web applications which gives the ability of executing JS as the same user and not to other users. (Attacking or execution of JS for your own session`s)
Mitigations for XSS
Avoid and Restrict HTML in Inputs
Sanitise values and proper data encoding
Use HttpOnly Flag and secure Cookies implementation
Use a WAF and Proper WAF rules to prevent injections
Implement CSP policies
Implement XSS protection Headers
Use appropriate response headers.
In the Next write up will show how to craft payloads as per XSS identification needs.