Hacker’s guide on Cross Site Scripting (XSS) vulnerability

XSS stands for Cross site scripting . It is a vulnerability that allows attackers to inject client-side scripts like JavaScript and run it on web pages. When the end user loads these pages, the malicious scripts will be executed and attackers can steal session tokens and cookies, change the content of the web page through DOM manipulation or even redirect the browser.

Attackers usually try to run JavaScript code on input boxes and parameters on forms in vulnerable websites. These input fields, if not secured properly, will execute code.

Types of XSS

1. Stored / Persistent XSS attack: The script gets stored on server or database and is executed every time the page is loaded. With this type of attack, all the people who see the infected publication, message or any element, become victims of the attack.
2. DOM based XSS attack: This type of attack occurs entirely on client side. The attack works through manipulating the internal model of the web page within the browser, known as the DOM (Document Object Model). These attacks begin at a source and ends at a sink. The locations that attacker input bring into the DOM are designated as source and the locations in which attacker input can be executed in the DOM are designated as sink. This vulnerability usually occurs when JavaScript takes data from an attacker-controllable source (e.g. URL) and passes it to a sink that supports dynamic code execution, such as eval() or innerHTML. This enables attackers to execute malicious JavaScript, which typically allows them to hijack other users’ accounts.
3. Reflected XSS attack: It is the simplest type of XSS. It occurs when an website receives data in an HTTP request and includes that data within the immediate response without any other processing. For example, In the vulnerable target site, the URL http://target-site.com/page.php?something=<script>alert("XSS")</script> will display an dialog box containing the message alert(“XSS”).

Mitigation

1. Always keep your browsers updated to prevent any zero-day attacks.
2. Sanitize input from client-side and follow secure coding practises. Some methods are by encoding inputs and special characters (<, >, ‘ and “), filtering <script></script> tags, and using XSS prevention libraries (e.g. AntiXSS, xssprotect).
3. Minimize user input on website as much as possible.
4. Prevent cookies from being shown in cleartext (set the HttpsOnly flag in header).

Resources to practise

• XSS Game is a multi-level CTF focusing entirely on cross-site scripting (XSS) attacks.
• Practise on Portswigger Web Security Academy

Conclusion

Cross-site scripting is the third most common vulnerability affecting websites and applications. OWASP lists more than 80 vectors that can be targeted using Cross Site Scripting. So understanding how this attack works is essential to every hacker.