Cross-Site Scripting (XSS)

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
2 hours 54 minutes
Difficulty
Intermediate
CEU/CPE
3
Video Transcription
00:00
>> Cross-site scripting. Now this used to have
00:00
his own category in the OWASP Top10
00:00
but now it's part of injection.
00:00
Our other objectives are to understand the basics
00:00
of cross-site scripting and explain how to
00:00
prevent cross-site scripting vulnerabilities
00:00
or XSS for short.
00:00
What are the basics of cross-site scripting?
00:00
This is a client-side injection attack.
00:00
Whereas SQL injection or
00:00
command injection affects the server,
00:00
cross-site scripting is a client-side attack,
00:00
meaning that somebody has to visit a webpage,
00:00
or interact with a web page,
00:00
or interact with the server if it's serving
00:00
JavaScript and that is what
00:00
executes this cross-site scripting attack.
00:00
You need somebody to interact with
00:00
the vulnerable webpage or
00:00
vulnerable form within the webpage, or vulnerable URL.
00:00
It requires a person to do that.
00:00
If you don't have CTF or something like that.
00:00
If the lab maker is near someone who makes labs,
00:00
has to script a victim,
00:00
so to speak, that visits the webpage.
00:00
It's a little trickier to do if you're building
00:00
a lab to do this because you need to,
00:00
again similarly, you are a victim visiting a webpage.
00:00
What happens is the user input is not sanitized.
00:00
No brainer here when it comes to command injection,
00:00
SQL injection is same thing with this,
00:00
but instead of interacting with a back-end database or
00:00
interacting with commands on the server
00:00
with OS command injection and SQL injection,
00:00
this is injecting script in the page, JavaScript.
00:00
There can be other scripts,
00:00
but mainly is JavaScript.
00:00
You can also inject HTML.
00:00
HTML injection is also a type of injection attack.
00:00
Typically if I'm testing something like this,
00:00
I will use HTML injection
00:00
first to see if it's vulnerable and
00:00
then pivot into inserting
00:00
JavaScript onto the page to see if that works.
00:00
There are three types of cross-site scripting attacks.
00:00
There is reflected,
00:00
stored and DOM based.
00:00
We'll talk about each one of those.
00:00
What's reflected? Reflected is if somebody,
00:00
let's say for example,
00:00
somebody clicks on their email and it's
00:00
their bank emailing them and they say,
00:00
please click this link and it looks like
00:00
it's a perfectly innocent page.
00:00
But what you don't see at the end of
00:00
the URL is JavaScript embedded.
00:00
For example, if you look at the smaller print here,
00:00
the SVG onload equals
00:00
document location if that's part of the URL,
00:00
if it's whatever banking site you
00:00
have and then added into there,
00:00
the attacker inserts JavaScript,
00:00
in this case the SVG onload document location.
00:00
If someone were to click on that URL,
00:00
it will redirect them to the attacker's page,
00:00
which is probably a phishing page,
00:00
and it's probably stealing somebody's
00:00
credentials for them to then log on
00:00
into that person's bank account and do
00:00
malicious things like take
00:00
out money and things like that.
00:00
That is what reflected is,
00:00
it is not stored on the server.
00:00
It's simply JavaScript that
00:00
is reflected back to the victim.
00:00
Again, you can do things we redirect somebody,
00:00
you can steal cookies,
00:00
and basically have anything
00:00
that JavaScript will allow you to do.
00:00
For the most part,
00:00
that's to say though that
00:00
web application firewalls waves are getting smarter and
00:00
payloads are getting a whole lot trickier for somebody
00:00
to do things like steal cookies or redirect the victim.
00:00
They might be able to just do
00:00
something like print the giant one.
00:00
You can see they can create the big scary one.
00:00
I'll talk about that in a second on to somebody's page.
00:00
I think for the sake of saying that you'd
00:00
execute JavaScript, yes,
00:00
you've proven to me that you can make
00:00
a one appear within the browser.
00:00
But what's the impact of that?
00:00
Can an attacker actually do something malicious?
00:00
Can they steal cookies? Can they redirect me?
00:00
If they can't, I think that really lowers
00:00
the impact and severity
00:00
of that cross-site scripting attack.
00:00
Like I put here, is useful for testing.
00:00
That big, scary one,
00:00
you can test with it.
00:00
But it's not really illustrative
00:00
of the impact of
00:00
what you can do as an attacker to a victim.
00:00
Here's the big scary one.
00:00
You'll see that one at the top of the screen.
00:00
That's my pellet at the bottom.
00:00
It was just that script alert one script.
00:00
I can see that for testing, that's fine.
00:00
But what can I pivot to do?
00:00
I'll switch up my payload.
00:00
I put that in that host name,
00:00
IP box, SVG on load.
00:00
These on Action ones like on blur,
00:00
on mouseover, on load,
00:00
so this is on error.
00:00
For example, here when
00:00
the page loads alerts document cookies.
00:00
I see this alert box pop up.
00:00
Then I can see some cookie information here,
00:00
like the PHP session ID.
00:00
Which means that we can see as the admin.
00:00
What I could do as an attacker is I could take
00:00
that PHP session ID and I can put it
00:00
into my browser and then assume
00:00
the admin accounts session
00:00
and basically do a cookie replay attack,
00:00
which could be pretty dangerous.
00:00
That is the impact of what you can
00:00
do with this type of attack.
00:00
Stored cross-site scripting is more
00:00
dangerous than reflected because what happens
00:00
is this usually happens in
00:00
chat boards or something that
00:00
somebody visits and they can enter
00:00
information into a form.
00:00
They can put in
00:00
JavaScript and again, they can redirect you.
00:00
They can steal your cookies.
00:00
But all that's required is the person doesn't have
00:00
to put it into the URL bar and hit "Enter".
00:00
All they do is simply visit a webpage,
00:00
which can then do things like
00:00
key loggers and steal information.
00:00
That's why stored is
00:00
less interaction required from the victim other than
00:00
visiting the vulnerable webpage and that's
00:00
where the malicious things can happen to them.
00:00
DOM- based is tricky.
00:00
I've seen a lot of bug bounty reports on DOM based.
00:00
You have to know a little bit about
00:00
JavaScript and have a little bit of
00:00
understanding of what this is,
00:00
but where is reflected and stored cross-site scripting
00:00
is written to the page and then
00:00
stored as written into the server.
00:00
Reflected is still written on the page.
00:00
So if you view the source of the page,
00:00
you can see the JavaScript in there.
00:00
With DOM based, it's written into
00:00
the document object model or DOM of the webpage.
00:00
What is the DOM?
00:00
What does the document object model?
00:00
This is described as
00:00
this tree-like structure of how
00:00
the webpage is shown to you.
00:00
It takes all these different attributes and elements and
00:00
things like that and it's how the web page is displayed.
00:00
Everything happens within the browser itself.
00:00
It doesn't happen on the server at all.
00:00
It's difficult to detect with scanners,
00:00
although active scan with Burp Suite may find it,
00:00
or ZAP may say it found it.
00:00
But it could be a false positive.
00:00
The thing with these scanners is they try to detect it by
00:00
looking at the response of the page
00:00
for reflected and stored cross-site scripting.
00:00
Then they see that whatever
00:00
they attempted to do was written to the page
00:00
so they can confirm things like reflected
00:00
or stored cross-site scripting whereas with
00:00
DOM-based it's not reflected back
00:00
into the webpage itself,
00:00
the source of the page so the scanner
00:00
itself doesn't know if it was successful or not.
00:00
It may read a JavaScript library
00:00
or something like that and say,
00:00
okay, well there's certain elements in here.
00:00
There's certain JavaScript that could indicate to me that
00:00
it could be vulnerable to DOM-based Cross-Site Scripting,
00:00
but then you have to confirm this on your own.
00:00
Now I say it depends on the browser that you have.
00:00
All of these really depends on the browser that you have.
00:00
I've had the most success with Firefox having it work.
00:00
From a safety standpoint,
00:00
maybe don't use Firefox
00:00
to prevent cross-site scripting attacks.
00:00
But if you're testing cross-site scripting,
00:00
I definitely recommend Firefox because it
00:00
lets things through more so than other browsers.
00:00
Now that's not to say, I haven't seen this happen with
00:00
some other browsers and have it work
00:00
whereas Firefox, it doesn't.
00:00
Meaning it could work in Chrome or could work in Safari,
00:00
or is it doesn't work in Firefox.
00:00
That's the same when
00:00
you're testing these vulnerabilities,
00:00
you should be testing them with different browsers.
00:00
Here's our web security testing guide resources.
00:00
I suggest you read each one
00:00
of these as far as how to test for
00:00
these different vulnerabilities
00:00
for reflected cross-site scripting,
00:00
for stored cross-site scripting,
00:00
and for DOM based cross-site scripting.
00:00
How do we prevent this?
00:00
OWASP recommends using
00:00
security focused encoding libraries.
00:00
Libraries that encode any input
00:00
to the page so that you'll see here on the right,
00:00
the HTML encode and becomes an amp greater than,
00:00
less than and LT and GT.
00:00
What happens is instead of it
00:00
being written directly to the page,
00:00
the data becomes HTML encoded or the input that is
00:00
submitted to the page is HTML
00:00
encoded and that mitigates this type of attack.
00:00
Of course, never insert untrusted data,
00:00
except in a lot of locations.
00:00
That could be true of any types of these attacks
00:00
like SQL injection and OS command injection.
00:00
Never insert untrusted data.
00:00
Be aware of whenever a user can insert data,
00:00
these are vulnerabilities or
00:00
vulnerable points that we should
00:00
be aware of if we're trying to prevent this.
00:00
This cheat sheet is down here
00:00
on the right, at the bottom.
00:00
If you want to visit it, there's
00:00
a whole lot more information here.
00:00
I suggest you go to it.
00:00
I didn't want to note that the x cross-site scripting
00:00
protection header is actually
00:00
no longer really does anything.
00:00
It's not really a protection.
00:00
If you see this header in
00:00
the response when you're interacting with a website,
00:00
it used to work with things like
00:00
Internet Explorer, is deprecated.
00:00
It's not really used anymore.
00:00
The x cross-site scripting protection header,
00:00
is no longer really used to
00:00
protect against cross-site scripting attacks.
00:00
If you're trying to use that or if you use that in
00:00
the past to mitigate these types of attacks,
00:00
it really doesn't do anything.
00:00
In summary, now we should understand the basics of
00:00
cross-site scripting and also
00:00
understand ways to prevent cross-site scripting.
Up Next
Scenario: Shellshock
10m
Lab: Command Injection Vulnerability
45m