Intro to XSS
Basic JS functions that could be helpful
alert()
console.log()
btoa("string)
- encodes a string of binary data to create a base64-encoded ascii string
- good for removing white space and special characters or encode other alphabets
- the reverse function is
atob("base64_string)document.cookie→alert(document.cookie)
Types of XSS
- Reflected XSS
- relies on the user-controlled input reflected to the user i.e if you search for a particular term, the resulting page displays the term you searched for (reflected) and the attacker will embed a malicious script in the term
- Stored XSS
- user input stored in the website’s database
- e.g if users write reviews that are stored in the database, when displayed to other users, the attacker inserts a malicious script in their review that is executed on the browsers of other users
- DOM-based XSS
- exploits vulnerabilities within the documented object model (DOM) to manipulate existing page elements without needing to be reflected or stored on the server
- least common
What allows XSS to occur
- Insufficient input validation & sanitazation
- web apps that accept user data (e.g through forms) can result in malicious scripts being embedded and executed by the browsers
- Lack of output encoding
- Encode charafcters such as
<,>,",'and&for HTML and',",\for JS
- Encode charafcters such as
- improper use of security headers
- misconfigured CSP (Content Security Policy) or use of
unsafe-inlineorunsafe-evaldirectives can make it easier to execute XSS payloads
- misconfigured CSP (Content Security Policy) or use of
- framework and language vulnerabilities
- third party libraries
Results of XSS
- Session Hacking → stealing cookies allowing impersontion
- Phishing and credential theft
- a fake login prompt can be presented to users to acquire usernames and passwords
- social engineering → leading to malicious links
- content manipulation and defacement
- attacker might use XSS to change the website for other purposes such as inflicting damage on the company’s reputation
- Data exfiltration - accessing personal data anad financial information
- Malware installation - spreading malware by download
Reflected XSS
User input should be santized or HTML-encoded before being reflected in the website back to the user. For example
const express = require('express');
const app = express();
app.get('/search', function(req, res) {
var searchTerm = req.query.q;
res.send('You searched for: ' + searchTerm);
});
app.listen(80);The code above is not sanitised and if the query has a malicious query such as
<script>alert(document.cookie)</script>, then the attacker can get an alert box to
display the user’s cookie. Instead, we sanitize the search term
const express = require('express');
const sanitizeHtml = require('sanitize-html');
const app = express();
app.get('/search', function(req, res) {
const searchTerm = req.query.q;
const sanitizedSearchTerm = sanitizeHtml(searchTerm);
res.send('You searched for: ' + sanitizedSearchTerm);
});
app.listen(80);We’ve sanitized it and now it should be safe.
we can also use the escapeHtml() function to escape characters such as < , >, &, ", '.