Beginners Guide to Cross Site Scripting (XSS)
Java Script
JavaScript is the programming language of the web. It’s one of the most popular and in demand skills in today’s job market for good reason. JavaScript enables you to add powerful interactions to websites
A Scripting Language understood by the browser.
JS is embedded in HTML Pages
The Browser RUNS the js instead of displaying it
Event Handler
When JavaScript is used in HTML pages, JavaScript can “react” on these events.
When the page loads, it is called an event. When the user clicks a button, that click too is an event. Other examples include events like pressing any key, closing a window, resizing a window, etc.
Onload
Basically java script uses onload function to load an object on any web page. For example I want to generate an alert for user those who visit my website; I will give the following JavaScript code.
<body onload=alert(‘Welcome to Hacking Articles’)>
So whenever the body tag loads, an alert will pop up with following text Welcome to Hacking Articles for the visitors. Here the loading of the body tag is an event or a happening and onload is an event handler which decides what will action will happen on that event.
Similarly, there are many JavaScript event handlers which define what event occurs for such type of action like scroll down of page, or when an image fails to load etc.
Onmouseover
Onmouseover, when the user moves his cursor over the text, the additional code will be executed. For example let understand following code:
<a onmouseover=alert(“50% discount”)>surprise</a>
Now when user moves his cursor over the surprise the displayed text on the page, an alert box will pop up with 50% discount.
onclick: | Use this to invoke JavaScript upon clicking (a link, or form boxes) |
onload: | Use this to invoke JavaScript after the page or an image has finished loading |
onmouseover | Use this to invoke JavaScript if the mouse passes by some link |
onmouseout | Use this to invoke JavaScript if the mouse goes pass some link |
onunload | Use this to invoke JavaScript right after someone leaves this page. |
Cross Site Scripting (XSS)
XSS is listed as top third web application security risk in the OWASP to top 10 risk model 2017.
Cross-site scripting (XSS) is a flaw in a web application that allows an attacker to execute malicious JavaScript through code injection attack in another victim’s browser.
In this attack user is not directly targeted through a payload, although attacker shoot the XSS vulnerability by inserting malicious script into a web page that appears to be a genuine part of the website to the users, whenever any user visit that website it will automatically send the malicious JavaScript code in his browser without his knowledge.
Let’s take an example that following code is XSS vulnerable, an attacker may possibly present a history that holds a malicious payload such as <script>alert(HACK);</script>
Print “<html>”
Print “<h1>Recent History</h1>”
Print request.Recent History print “</html>“
Users visiting the web page will get the following HTML page without his knowledge.
<html>
<h1> Recent History </h1>
<script>alert (HACK);</script>
</html>
Types of XSS:
There are actually three types of Cross-Site Scripting, commonly named as:
- Persistent XSS
- Non-persistent XSS
- DOM-Based XSS
Persistent
A persistent XSS also known as stored XSS because through this vulnerability the injected malicious script get permanently stored inside the webserver and the application server give out it back to the user when he visits the respective website. Hence when the client will click on payload which appears as an official part of the website, the injected JavaScript will get execute by the browser. The most common example is comment option on blogs, which allow the users to POST their comment for administer or other user.
Persistent XSS is considered more dangerous because the malicious payload is stored inside web server as the more visitors will interact with the website will result into more XSS infected user. Attack does not require phishing technique to target its users.
Example:
An example of a web application vulnerable to stored XSS as shown in the screenshot.
<script>alert(document.cookie)</script>
This JavaScript gets stored in the database of the web application and gets executed on the victim’s browser, which capture the cookie and send it to the attacker
Read complete article from here
Non-Persistent
The non-persistent XSS is also known as reflected XSS is occurs when the web application respond immediately on user’s input without validating the inputs this lead an attacker to injects browser executable code inside the single HTML response. It’s named as “non-persistent” since the malicious script does not get stored inside the web server, therefore attacker will send the malicious link through phishing to trap the user.
The most common applying of this kind of vulnerability is in Search engines in website: the attacker writes some arbitrary HTML code in the search textbox and, if the website is vulnerable, the result page will return the result of these HTML entities.
Example:
An example of a web application vulnerable to reflected XSS as shown in the screenshot.
<script>alert(“hellllooo”)</script>
It is also known as type 1 because this attack is carried out through single request/response then gets executed on the victim’s browser, and will prompt an alert “hellllooo” to his browser.
Read complete article from here
DOM-Based
The Document Object Model (DOM) is an API that increases the skill of programmers or developers to produce and change HTML and XML documents as programming objects.
The JavaScript language is used in DOM, which is also used for other websites. Through JavaScript it allows programmer to make the dynamic changes in HTML document can be accessed, modify, deleted, or added using the DOM.
When an HTML document is loaded into a web browser, it becomes a document object.
The document object is the root node of the HTML document and the “owner” of all other nodes
The HTML DOM model is constructed as a tree of Objects
With the object model, JavaScript gets all the power it needs to create dynamic HTML:
- JavaScript can change all the HTML elements in the page
- JavaScript can change all the HTML attributes in the page
- JavaScript can change all the CSS styles in the page
- JavaScript can remove existing HTML elements and attributes
- JavaScript can add new HTML elements and attributes
- JavaScript can react to all existing HTML events in the page
- JavaScript can create new HTML events in the page
The DOM-Based Cross-Site Scripting is vulnerability which appears in document object model instead of html page. An attacker is not allowed to execute malicious script on the user’s website although on his local machine in URL, it is quite different from reflected and XSS because in this attack developer cannot able to find malicious script in HTML source code as well as in HTML response, it can be observed at execution time.
The DOM-Based XSS exploits these problems on user’s local machines in this way:
– The attacker creates a well built malicious website
– The ingenious user opens that sites
– The user has a vulnerable page on his machine
– The attacker’s website sends commands to the vulnerable HTML page
– The vulnerable local page execute that commands with the user’s privileges on that machine.
– The attacker easily gain control on the victim computer.
Example:
The following screenshot is an example of a web application server that is affect with DOM based XSS attack. The web application let you to choose the following language and will execute through URL.
http://localhost:81/dvwa/vulnerabilities/xss_d/?default=English
Attacker will add malicious script inside URL
http://localhost:81/dvwa/vulnerabilities/xss_d/?default=English#<script>alert(“you have been hacked”);</script>
The major difference between DOM XSS and Reflected or Stored XSS flaw is that it cannot be stopped by server-side filters because anything written after the “#” (hash) will never forward to the server.
Source: https://www.w3schools.com/js/
https://www.acunetix.com/websitesecurity/cross-site-scripting/
Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here
Source: www.hackingarticles.in