X(SS) Gon Give It To Ya

My Personal XSS Notes

Posted by Siddharth Balyan on October 30, 2020 · 4 mins read

Reflected XSS

Relected XSS Xplained

Arises when an application recieved data in HTTP request and includes it in the response in an unsafe way. One can inject malicious code in the query function and then share that URL.

https://ac751fca1eecafd88054d23b00ec00bf.web-security-academy.net/?search=TEST

?search=TEST results in the application showing:

image-20201029070317091

Since, the search query displays on the webpage as <h1>1 search results for 'TEST'</h1>, searching for <script>alert(1)</script> will run

<h1>1 search results for <script>alert(1)</script></h1>

and generate an alert.

The search query also shows up in the URL: https://ac751fca1eecafd88054d23b00ec00bf.web-security-academy.net/?search=TEST meaning that one can craft an XSS payload and share the URL.

Impact

Since, the script can be controlled by the attacker, he can fully control and access the victim’s user on the webapp. To deliver the attack, the links can placed in websites, tweets etc.

It’s less impactful than Stored XSS due to the need of the external delivery mechanism.

How to find XSS

  • Test every endpoint withing application’s HTTP requests. This includes parameters or other data withing HTTP and the URL file path.
  • Submit random characters to determine whether the value is reflected in the response. Around 8 characters.
  • Determine the reflected location, in HTML tags, or JS etc.
  • Test a payload using Repeater.
  • Test attack in browser.

Example 1: DVWA

Easy

Try the payload of <script>alert("XSS")</script>

image-20201030072705004

Inputs are rendered in <pre> tags. Inputting a simple JavaScript would interpret and run it. gg Ez.

image-20201030072916171

image-20201030072940050

Medium

Trying the same payload <script>alert("XSS")</script>

image-20201030073934374

<script></script> tags have been removed. Done by a WAF filter. To bypass/evade WAFs, there are a lot of resources online. Basic methodology would be to try out different tags and combos.

OWASP XSS Filter Evasion Cheatsheet

Trying out <a> and <img> tags would lead to:

image-20201030074555257

Hence, we gain the knowledge that <script> tags are being filtered. Where the filter is also decides the level of security.

Do <scRipt>alert("XSS")</scrIpT> and boom, you get an alert.


Stored XSS

Stored XSS Xplained

Stored XSS (2nd order / persistent) arises when an application recieves data from an untrusted source and included that data in its HTTP responses in an unsafe way. Meaning that the recieved data is stored and provided to other users.

Impact

The attacker can control the script which is executed on every victim’s browser who visits the webpage where the Stored XSS lies. This allows him to carry out all the actions that are applicable to the impact of reflected XSS vulnerabilities.

In stored XSS, the attacks are self-contained within the application itself. Users dpn’t need to be induced into the vulnerability, rather, the exploit stays on the website itself.

Contexts

Depending on if and where the web app does validation/filtering, the payloads often vary. Meaning, if the web app has a filter on the client side, the payload would be different than if the filter is present on the server side.