XSS is a very commonly exploited vulnerability type which is very widely spread and easily detectable.
- Reflected XSS
- Stored XSS
- DOM-Based XSS
In Reflected XSS, an attacker sends the victim a link to the target application through email, social media, etc. This link has a script embedded within it which executes when visiting the target site.
In Stored XSS, the attacker is able to plant a persistent script in the target website which will execute when anyone visits it.
With DOM Based XSS, no HTTP request is required, the script is injected as a result of modifying the DOM of the target site in the client side code in the victim’s browser and is then executed.
http://test.gbhackers.com/search?q=gbhacker Searched for <strong>gbhacker</strong> <script>alert(document.cookie)</script>
Imagine that we are having an URL like this and we are searching for gbhacker and it will reflect following query in the browser. We trust the domain and we trust the resource being entered in search page, so now the untrusted part gbhacker was the query string entered by browser, the attacker can manipulate the value anything as they like, for an example they change like this <script>alert(document.cookie)</script>.This is just a simple query to popup an alert in the webpage, if some requested the page of attackers website and passed document.cookies as parameter in website then attacker can gather all cookies in the website.If they got Auth cookies they can simply hijack user sessions.
Potential risks about XSS
The attacker can compromise or take over the victim’s user account in the application. They could retrieve data from the target web application, modify content on the target page,redirect the victim to another malicious or spoof site, or use it as a platform to install other malware on the victim’s system.
The consequences of any of the above can seriously impact your ability to conduct business, your customers, and your organization’s reputation.
Defenses against XSS
- What input do we trust?
- Does it adhere to expected patterns?
- Never simply reflect untrusted data.
- Applies to data within our database too.
- Encoding of context(Java/attribute/HTML/CSS).
- A1 – SQL injection
- A2 – Broken Authentication and Session Management
- A4 – Insecure Direct Object References
- A5 – Security Misconfiguration
- A6 – Sensitive Data Exposure
- A7 – Missing Function Level Access Control’
- A8 – Cross-Site Request Forgery (CSRF)
- A9 – Using Components with known Vulnerabilities
- A10 – Unvalidated Redirects and Forwards