XSS - Revision history

Unknown user at 20:26, 4 June 2023

2023-06-04T20:26:02Z

← Older revision		Revision as of 20:26, 4 June 2023
Line 1:		Line 1:
	Notes on Cross-Site Scripting		Notes on Cross-Site Scripting (XSS)

	=Overview=		=Overview=

Unknown user at 20:25, 4 June 2023

2023-06-04T20:25:56Z

← Older revision		Revision as of 20:25, 4 June 2023
Line 1:		Line 1:
			Notes on Cross-Site Scripting

	=Overview=		=Overview=

Unknown user at 23:22, 13 April 2022

2022-04-13T23:22:48Z

← Older revision		Revision as of 23:22, 13 April 2022
Line 127:		Line 127:
	* Use appropriate response headers (use Content-Type and X-Content-Type-Options for responses that should not contain HTML or Javascript, to ensure browser interprets correctly)		* Use appropriate response headers (use Content-Type and X-Content-Type-Options for responses that should not contain HTML or Javascript, to ensure browser interprets correctly)
	* Content security policy (last line of defense to reduce severity of XSS vulnerabilities)		* Content security policy (last line of defense to reduce severity of XSS vulnerabilities)


			[[Category:Javascript]]
			[[Category:Security]]
			[[Category:XSS]]

Unknown user: /* Exploiting XSS */

2022-04-13T22:49:19Z

Exploiting XSS

← Older revision		Revision as of 22:49, 13 April 2022
Line 88:		Line 88:
	* Capturing passwords (e.g., from password managers auto-filling the password field)		* Capturing passwords (e.g., from password managers auto-filling the password field)
	* Performing CSRF (allows attacker to perform actions as the victim - such as sending a message, transferring money, or changing the primary account email)		* Performing CSRF (allows attacker to perform actions as the victim - such as sending a message, transferring money, or changing the primary account email)

			===Stealing Cookies with XSS===

			https://portswigger.net/web-security/cross-site-scripting/exploiting/lab-stealing-cookies

	==Finding XSS Vulnerabilities==		==Finding XSS Vulnerabilities==

Unknown user: /* What Can Attackers Do */

2022-04-13T22:48:36Z

What Can Attackers Do

← Older revision		Revision as of 22:48, 13 April 2022
Line 78:		Line 78:

	XSS also has high impact if the user that is compromised has elevated privileges, since the attacker will be able to take control of the application to compromise other users and their data.		XSS also has high impact if the user that is compromised has elevated privileges, since the attacker will be able to take control of the application to compromise other users and their data.

			===Exploiting XSS===

			https://portswigger.net/web-security/cross-site-scripting/exploiting

			Three ways that an XSS vulnerability can be exploited:

			* Stealing cookies (send the victim's cookies to your own domain, then manually inject the cookies into your browser and impersonate the victim)
			* Capturing passwords (e.g., from password managers auto-filling the password field)
			* Performing CSRF (allows attacker to perform actions as the victim - such as sending a message, transferring money, or changing the primary account email)

	==Finding XSS Vulnerabilities==		==Finding XSS Vulnerabilities==

Unknown user: /* Basic Reflected XSS Attack */

2022-04-13T22:42:41Z

Basic Reflected XSS Attack

← Older revision		Revision as of 22:42, 13 April 2022
Line 31:		Line 31:
	<pre>		<pre>
	https://insecure-website.com/status?message=<script>/+Bad+stuff+here...+/</script>		https://insecure-website.com/status?message=<script>/+Bad+stuff+here...+/</script>
			</pre>

			For the purposes of testing, can just input something simple like this:

			<pre>
			<script>alert(1)</script>
	</pre>		</pre>

Unknown user: /* Notes */

2022-04-13T22:28:26Z

Notes

← Older revision		Revision as of 22:28, 13 April 2022
Line 15:		Line 15:
	=Notes=		=Notes=

	~~[https://portswigger.net/web-security/cross-site-scripting]~~		==Reflected XSS==

	==Basic Reflected XSS Attack==		===Basic Reflected XSS Attack===

	An example of a reflected XSS attack would be a page that accepts input from a URL parameter, and dynamically inserts it in the page without any additional processing.		An example of a reflected XSS attack would be a page that accepts input from a URL parameter, and dynamically inserts it in the page without any additional processing.
Line 33:		Line 33:
	</pre>		</pre>

	==Basic Stored XSS Attack==		==Stored XSS==

			===Basic Stored XSS Attack===

	An example of a stored XSS vulnerability would be a message board application. Users can submit messages that will be stored in a database, and those messages will be retrieved and displayed for other users. If the application does not do any additional processing, a malicious user could submit a message with the contents		An example of a stored XSS vulnerability would be a message board application. Users can submit messages that will be stored in a database, and those messages will be retrieved and displayed for other users. If the application does not do any additional processing, a malicious user could submit a message with the contents
Line 43:		Line 45:
	and that Javascript would be executed in the browser of anyone viewing that message.		and that Javascript would be executed in the browser of anyone viewing that message.

	==Basic DOM-Based XSS Attack==		==DOM XSS==

			===Basic DOM-Based XSS Attack===

	DOM-based XSS occurs when an application contains client-side Javascript code that is processing untrusted data in an unsafe way.		DOM-based XSS occurs when an application contains client-side Javascript code that is processing untrusted data in an unsafe way.

Unknown user: /* Other Topics */

2022-04-13T22:26:47Z

Unknown user: /* Content Security Policy */

2022-04-13T22:23:30Z

Content Security Policy

← Older revision		Revision as of 22:23, 13 April 2022
Line 85:		Line 85:
	(This is a difficult task, it is time-consuming to review JS code to find non-URL-based input or non-HTML-based sinks. Burp Suite Professional has static/dynamic tools to take care of this.)		(This is a difficult task, it is time-consuming to review JS code to find non-URL-based input or non-HTML-based sinks. Burp Suite Professional has static/dynamic tools to take care of this.)

	==Content Security Policy==		==Other Topics==

			===Content Security Policy===

	The CSP is a browser mechanism that explicitly calls out what URLs/sources the browser can load and run Javascript code from. This can help mitigate XSS vulnerabilities that exist in the application.		The CSP is a browser mechanism that explicitly calls out what URLs/sources the browser can load and run Javascript code from. This can help mitigate XSS vulnerabilities that exist in the application.

			===Dangling Markup Injection===

			Can be used to capture data cross-domain when XSS is not possible

			Can be used to capture sensitive information visible to others, like CSRF tokens, which can be used to perform actions on behalf of a user

Unknown user: /* Notes */

2022-04-13T22:06:42Z

Notes

@@ Line 14: / Line 14: @@
 =Notes=
 ==Basic Reflected XSS Attack==
@@ Line 58: / Line 60: @@
 This attack usually takes the form of an input field whose value comes from the URL. Then the attacker can deliver the attack by getting the victim to visit the URL - similar to reflected XSS.

← Older revision		Revision as of 22:26, 13 April 2022
Line 96:		Line 96:

	Can be used to capture sensitive information visible to others, like CSRF tokens, which can be used to perform actions on behalf of a user		Can be used to capture sensitive information visible to others, like CSRF tokens, which can be used to perform actions on behalf of a user

			==Prevention==

			* Filter input on arrival (as strictly as possible, as soon as possible)
			* Encode data on output (to prevent it from being interpreted as active content; can use HTML, URL, JS, and/or CSS encoding)
			* Use appropriate response headers (use Content-Type and X-Content-Type-Options for responses that should not contain HTML or Javascript, to ensure browser interprets correctly)
			* Content security policy (last line of defense to reduce severity of XSS vulnerabilities)