Skip to content

Read: Class 36 XSS with w3af, DVWA

Jump to bottom
Sérgio Charruadas edited this page Jul 14, 2023 · 1 revision

Based on the following articles:

Cross-site scripting

Explain how a cross-site scripting attack works in non-technical terms.

A cross-site scripting attack works by tricking a vulnerable website into sending malicious JavaScript code to an unsuspecting user, which then executes in the context of that user's account on the website. A hacker creates a link with malicious JavaScript code embedded in it and then tricks a user of the vulnerable website into clicking that link, perhaps by posting it on a message board or in an email that looks legitimate. When the user clicks the link, it takes them to the vulnerable website that they are already logged into. Due to a vulnerability in the website, it unknowingly sends the user a webpage that contains the hacker's malicious JavaScript code. The user's browser then executes that JavaScript code, but because the user is logged into the website, the JavaScript executes in the context of the user's account on the website. The JavaScript can now do harmful things like steal the user's data, change their settings, make purchases, or anything else the user's account has permission to do on the website. Essentially, the hacker has hijacked the user's session and can now take actions on the website impersonating the compromised user.

What are the three types of XSS attacks?

  • Reflected XSS uses input provided by the attacker in the current request.
  • Stored XSS uses input stored somewhere on the vulnerable website, such as in a database.
  • DOM-based XSS happens when client-side JavaScript processing input from an untrusted source in an unsafe way.

If an attacker successfully exploits a XSS vulnerability, what malicious actions would they be able to perform?

  • Impersonate the victim user to access the victim's data and account settings.
  • Steal the victim's authentication cookies or session tokens.
  • Change data belonging to the victim.
  • Perform unauthorized actions within the website on behalf of the victim.

What are some security controls that can be implemented to prevent XSS attacks?

  • Strictly filtering all input to the website to allow only expected data.
  • Encoding all output from the website to render the input harmless. The type of encoding depends on where the input is being displayed.
  • Using HTTP headers like X-Content-Type-Options to ensure browsers interpret responses as intended.
  • Implementing a Content Security Policy that disallows the execution of untrusted JavaScript.
  • Reviewing JavaScript code for DOM-based XSS issues and encoding all data accessed by JavaScript.

Things I want to know more about

Clone this wiki locally