-XSS (cross-site Scripting): a type of injection which can allow an attacker to execute malicious scripts and have it execute on a victims machine -vulnerable web app: uses unsanitized user input -javascript, VBScript, Flash and CSS -Two categories: Persistent/stored and Reflected -Possible attacks: Cookie stealing, keylogging, webcam snapshot, phishing, port scanning, other browser related exploits
Stored XSS -malicious string originates from the websites database -web app allows user input that is not sanitized
- Attacker inserts malicious payload into the web app’s database
- For every visit to the website the malicious script is activated
- data such as cookie, is stolen and sent to attacker to take over victim’s account *script runs in every browser because it is stored in the database
log cookie: dev tools > storage > change cookie value
Reflected XSS
-malicious payload is part of the victims request to the website -website included this payload in response back to the user -attacker needs to trick a victim to click a URL -requires the victim to send a request containing an attackers payload -use social-engineering to trick victims to click link
- attacker sends a link to victim that contains a malicious payload
- victim clicks link and taken to vuln website
- link containing the attacker’s script is executed on website
- attacker’s script sends data back to the attacker, taking over victims account
DOM-Based XSS
-malicious payload is not actually parsed by the victim’s browser until the website’s legitimate javascript is executed -an attacker’s payload will only be executed when the vulnerable javascript code is either loaded or interacted with eg: var keyword = document.querySelector(‘#search’) keyword.innerHTML =
test” onmouseover=“alert(‘Hover over the image and inspect the image element’)” test” onmouseover=“alert(document.cookie)” test” onmouseover=“document.body.style.backgroundColor = ‘red’;
Using XSS for IP and Port Scanning
-ability to scan a victims internal network and look for open ports
eg:
XSS Keylogger -creating an event to listen for key-presses
Filter Evasion
Bypass the filter that removes any script tags <img src=x onerror=alert(‘Hello’);>
The word alert is filtered, bypass it. 0”autofocus/onfocus=alert(1)⇒<video/poster/onerror=prompt(2)>“-confirm(3)-”
The word hello is filtered, bypass it.
last:
Protextion Methods & other exploits
Protection Methods:
- Escaping: Escape all user input. Data received is secure before rendering it. eg: disallow < and > characters from being rendered
- Validating Input: process of ensuring application is rendering the correct data and preventing malicious data from doing harm to site, database and users. Disallow certain characters from being submitted in the first place
- Sanitize: Helpful on sites that allow HTML markup. eg: sanitize ’<’ into HTML entity <
Other Exploits -stringing several vulns together to produce a bigger/better exploit -BeEF: pen testing tool for web browser; use client-side attack vectors.