XSS: Difference between revisions
From charlesreid1
(→Notes) |
|||
| Line 41: | Line 41: | ||
and that Javascript would be executed in the browser of anyone viewing that message. | and that Javascript would be executed in the browser of anyone viewing that message. | ||
==DOM-Based XSS== | ==Basic DOM-Based XSS Attack== | ||
DOM-based XSS occurs when an application contains client-side Javascript code that is processing untrusted data in an unsafe way. | DOM-based XSS occurs when an application contains client-side Javascript code that is processing untrusted data in an unsafe way. | ||
Revision as of 21:36, 13 April 2022
Overview
Cheat Sheet
https://portswigger.net/web-security/cross-site-scripting/cheat-sheet
Types of Cross Site Scripting
There are three main types of XSS attacks. These are:
- Reflected XSS - the script comes from the current HTTP request
- Stored XSS - the script comes from the website's database
- DOM-based XSS - the script is injected client-side rather than server-side
Notes
Basic Reflected XSS Attack
An example of a reflected XSS attack would be a page that accepts input from a URL parameter, and dynamically inserts it in the page without any additional processing.
An example might be a "message" parameter in a URL that is used to display a greeting on a page.
https://insecure-website.com/status?message=All+is+well.
This could be attacked like so:
https://insecure-website.com/status?message=<script>/*+Bad+stuff+here...+*/</script>
Basic Stored XSS Attack
An example of a stored XSS vulnerability would be a message board application. Users can submit messages that will be stored in a database, and those messages will be retrieved and displayed for other users. If the application does not do any additional processing, a malicious user could submit a message with the contents
<script>/* Bad stuff here... */</script>
and that Javascript would be executed in the browser of anyone viewing that message.
Basic DOM-Based XSS Attack
DOM-based XSS occurs when an application contains client-side Javascript code that is processing untrusted data in an unsafe way.
An example of this would be an application with Javascript code that reads a value from an input field, and uses that value without processing it to populate other DOM elements on the page.
An example might be:
var search = document.getElementById('search').value;
var results = document.getElementById('results');
results.innerHTML = 'You searched for: ' + search;
The attacker must be able to control the input field's value. If they do, they can provide a value that consists of HTML tags that will execute malicious Javascript code.
This attack usually takes the form of an input field whose value comes from the URL. Then the attacker can deliver the attack by getting the victim to visit the URL - similar to reflected XSS.