TryHackMe: XSS
JavaScript for XSS In web browser, go Inspect Element, then go to Console. Let’s review and try some essential JavaScript functions: Alert: You can use the alert() function to display a JavaScript alert in a web browser. Try alert(1) or alert('XSS') (or alert("XSS")) to display an alert box with the number 1 or the text XSS. alert(document.cookie) to display cookie. Console log: Similarly, you can display a value in the browser’s JavaScript console using console.log(). Try the following two examples in the console log: console.log(1) and console.log("test text") to display a number or a text string. Encoding: The JavaScript function btoa("string") encodes a string of binary data to create a base64-encoded ASCII string. This is useful to remove white space and special characters or encode other alphabets. The reverse function is atob("base64_string"). Types of XSS Reflected XSS: This attack relies on the user-controlled input reflected to the user. For instance, if you search for a particular term and the resulting page displays the term you searched for (reflected), the attacker would try to embed a malicious script within the search term. Stored XSS: This attack relies on the user input stored in the website’s database. For example, if users can write product reviews that are saved in a database (stored) and being displayed to other users, the attacker would try to insert a malicious script in their review so that it gets executed in the browsers of other users. DOM-based XSS: This attack exploits vulnerabilities within the Document Object Model (DOM) to manipulate existing page elements without needing to be reflected or stored on the server. This vulnerability is the least common among the three. XSS Causes 1. Insufficient Input Validation & Sanitization Web applications accept user input (e.g., forms) and dynamically generate HTML pages. Without proper sanitization, malicious scripts can be embedded and executed. 2. Lack of Output Encoding Special characters like , ", ', and & must be encoded in HTML. JavaScript-specific escaping is required for ', ", and \. Failure to encode output leads to XSS vulnerabilities. 3. Improper Use of Security Headers Content Security Policy (CSP) mitigates XSS by restricting script sources. Misconfigured CSP (e.g., unsafe-inline, unsafe-eval) allows attackers to execute scripts. 4. Framework & Language Vulnerabilities Older frameworks lacked built-in XSS protections. Modern frameworks auto-escape user input but must be kept updated. 5. Third-Party Libraries External libraries can introduce XSS vulnerabilities, even in secure applications. XSS Implications 1. Session Hijacking Attackers can steal session cookies and impersonate users. 2. Phishing & Credential Theft XSS enables fake login prompts to steal user credentials. 3. Social Engineering Attackers can create fake pop-ups or alerts on trusted websites. 4. Content Manipulation & Defacement Attackers can modify web pages, damaging a company’s reputation. 5. Data Exfiltration XSS can extract sensitive user data (e.g., financial or personal information). 6. Malware Installation Drive-by downloads can install malware through XSS exploits. By implementing proper input validation, output encoding, security headers, and secure coding practices, developers can reduce the risk of XSS attacks.
JavaScript for XSS
In web browser, go Inspect Element, then go to Console.
Let’s review and try some essential JavaScript functions:
-
Alert: You can use the
alert()function to display a JavaScript alert in a web browser. Tryalert(1)oralert('XSS')(oralert("XSS")) to display an alert box with the number 1 or the text XSS.alert(document.cookie)to display cookie. -
Console log: Similarly, you can display a value in the browser’s JavaScript console using
console.log(). Try the following two examples in the console log:console.log(1)andconsole.log("test text")to display a number or a text string. -
Encoding: The JavaScript function
btoa("string")encodes a string of binary data to create a base64-encoded ASCII string. This is useful to remove white space and special characters or encode other alphabets. The reverse function isatob("base64_string").
Types of XSS
- Reflected XSS: This attack relies on the user-controlled input reflected to the user. For instance, if you search for a particular term and the resulting page displays the term you searched for (reflected), the attacker would try to embed a malicious script within the search term.
- Stored XSS: This attack relies on the user input stored in the website’s database. For example, if users can write product reviews that are saved in a database (stored) and being displayed to other users, the attacker would try to insert a malicious script in their review so that it gets executed in the browsers of other users.
- DOM-based XSS: This attack exploits vulnerabilities within the Document Object Model (DOM) to manipulate existing page elements without needing to be reflected or stored on the server. This vulnerability is the least common among the three.
XSS Causes
1. Insufficient Input Validation & Sanitization
- Web applications accept user input (e.g., forms) and dynamically generate HTML pages.
- Without proper sanitization, malicious scripts can be embedded and executed.
2. Lack of Output Encoding
- Special characters like
<,>,",', and&must be encoded in HTML. - JavaScript-specific escaping is required for
',", and\. - Failure to encode output leads to XSS vulnerabilities.
3. Improper Use of Security Headers
- Content Security Policy (CSP) mitigates XSS by restricting script sources.
-
Misconfigured CSP (e.g.,
unsafe-inline,unsafe-eval) allows attackers to execute scripts.
4. Framework & Language Vulnerabilities
- Older frameworks lacked built-in XSS protections.
- Modern frameworks auto-escape user input but must be kept updated.
5. Third-Party Libraries
- External libraries can introduce XSS vulnerabilities, even in secure applications.
XSS Implications
1. Session Hijacking
- Attackers can steal session cookies and impersonate users.
2. Phishing & Credential Theft
- XSS enables fake login prompts to steal user credentials.
3. Social Engineering
- Attackers can create fake pop-ups or alerts on trusted websites.
4. Content Manipulation & Defacement
- Attackers can modify web pages, damaging a company’s reputation.
5. Data Exfiltration
- XSS can extract sensitive user data (e.g., financial or personal information).
6. Malware Installation
- Drive-by downloads can install malware through XSS exploits.
By implementing proper input validation, output encoding, security headers, and secure coding practices, developers can reduce the risk of XSS attacks.
