Cross Site Scripting (XSS) Attack Tutorial with Examples, Types & Prevention

-

 A Complete Guide to Cross-Site Scripting (XSS) Attack,  how to prevent it, and XSS testing.

Cross-Site Scripting (XSS) is one of the most popular and vulnerable attacks which is known by every advanced tester. It is considered one of the riskiest attacks for web applications and can bring harmful consequences too.



XSS is often compared with similar client-side attacks, as client-side languages are mostly being used during this attack. However, an XSS attack is considered riskier, because of its ability to damage even less vulnerable technologies.

In this XSS attack tutorial, we will give you a complete overview of its types, tools, and preventive measures with perfect examples in simple terms for your easy understanding.

Introduction to XSS Attack

A cross-Site Scripting attack is a malicious code injection, which will be executed in the victim’s browser. The malicious script can be saved on the webserver and executed every time when the user calls the appropriate functionality. It can also be performed with the other methods – without any saved script in the webserver.

The main purpose of this attack is to steal the other user’s identity data – cookies, session tokens, and other information. In most cases, this attack is being used to steal the other person‘s cookies. As we know, cookies help us to log in automatically. Therefore with stolen cookies, we can log in with the other identities. And this is one of the reasons, why this attack is considered one of the riskiest attacks.



How is XSS Being Performed?

Cross Site Scripting attack means sending and injecting malicious code or script. Malicious code is usually written with client-side programming languages such as Javascript, HTML, VBScript, Flash, etc. However, Javascript and HTML are mostly used to perform this attack.

This attack can be performed in different ways. Depending upon the type of XSS attack, the malicious script may be reflected on the victim’s browser or stored in the database and executed every time, when the user calls the appropriate function.

The main reason for this attack is inappropriate user input validation, where malicious input can get into the output. A malicious user can enter a script, which will be injected into the website’s code. Then the browser is not able to know if the executed code is malicious or not.

Therefore malicious script is being executed on the victim’s browser or any faked form is being displayed for the users. There are several forms in which XSS attacks can occur.

Main forms of Cross Site Scripting are as follows:

  • Cross Site Scripting can occur on the malicious script executed at the client side.
  • Fake page or form displayed to the user (where the victim types credentials or clicks a malicious link).
  • On the websites with displayed advertisements.
  • Malicious emails sent to the victim.

This attack occurs when the malicious user finds the vulnerable parts of the website and sends it as appropriate malicious input. A malicious script is being injected into the code and then sent as the output to the final user.

Types of Cross Site Scripting Attacks

The prime purpose of performing an XSS attack is to steal another person’s identity. As mentioned, it may be cookies, session tokens, etc. XSS also may be used to display faked pages or forms for the victim. However, this attack can be performed in several ways.

This attack is divided into three main categories as shown below:

#1) Reflected XSS – This attack occurs, when a malicious script is not being saved on the webserver but reflected in the website’s results.
#2) Stored XSS – This attack occurs when a malicious script is being saved on the webserver permanently.
#3) DOM – This occurs, when the DOM environment is being changed, but the code remains the same.

Let’s take an in-depth look at them.

#1) Reflected XSS

This occurs when the malicious results are being returned after entering the malicious code. Reflected XSS code is not being saved permanently. In this case, the malicious code is being reflected in any website result. The attack code can be included in the faked URL or HTTP parameters.

It can affect the victim in different ways – by displaying fake malicious page or by sending a malicious email.

) Stored XSS

This attack can be considered riskier and it provides more damage.

In this type of attack, the malicious code or script is being saved on the webserver (for example, in the database) and executed every time when the users will call the appropriate functionality. This way stored XSS attacks can affect many users. Also as the script is being stored on the webserver, it will affect the website for a longer time.

In order to perform stored XSS attack, the malicious script should be sent through the vulnerable input form (For Example,the comment field or review field). This way the appropriate script will be saved in the database and executed on the page load or appropriate function calling.

Consider, we have a page where the latest user opinion is being loaded. Therefore, in the opinion or comment field would be typed with the script as shown below.

<script>alert(document.cookie)</script>

It will be saved in the database and executed on the page load, as the latest user opinion will be displayed on the page. If a website is vulnerable to XSS, then the page load popup window with cookies will be displayed. This script is quite simple and less harmful. However, instead of this script, a more harmful code may be entered.

#3) DOM XSS

This type of attack occurs when the DOM environment is being changed, but the client-side code does not change. When the DOM environment is being modified in the victim’s browser, then the client side code executes differently.

In order to get a better understanding of how XSS DOM attack is being performed let us analyze the following Example.

Consider, there is a webpage with URL http://testing.com/book.html?default=1. As we know, “default” is a parameter and “1” is its value. Therefore, in order to perform an XSS DOM attack, we would send a script as the parameter.

For Example:

http://testing.com/book.html?default=<script>alert(document.cookie)</script>

In this Example, the request is sent for the page book.html?default=<script>alert(document.cookie)</scriptto testing.com. Therefore for that page, a DOM object is being created by the browser, where the document location object will contain the appropriate string.

http://testing.com/book.html?default=<script>alert(document.cookie)</script>

This way the DOM environment is being affected. Of course, instead of this simple script, something more harmful may also be entered.

How to Test Against XSS?

Firstly, in order to test against XSS attack, black box testing can be performed.

It means, that it can be tested without a code review. However, code review is always a recommended practice and it brings more reliable results too. From my software testing experience, I would like to add, that if a good black box testing technique is selected and performed accurately, then this should be much enough.

While starting testing, a tester should consider which website’s parts are vulnerable to the possible XSS attack.

It is better to list them in any testing document and this way we will be sure, that nothing would be missed. Then, the tester should plan for what code or script input fields have to be checked. It is important to remember, what results mean, that the application is vulnerable and it analyzes the results thoroughly.

While testing for possible attack, it is important to check how it is being responded to the typed scripts and is those scripts executed or not etc.


Comments

Post a Comment

Popular posts from this blog

Hack Android with Infect Virus Installation and Usees

-
Image
HACK ANDROID WITH INFECT TERMUX HACKING TOOL Android devices are popular in the world. Imagine how funny if you infect your friend’s device even if you don’t have hacking skills. Infect best Termux hacking tool will help us to do that. What is infect? Infect is a bash-based script that is officially made for Termux users and from this tool you can spread the android virus by just sending a link. Also, Infect is available on Termux, developers of this tool tested in on Termux. What are it’s features? Infect have some interesting features. Which are following:- [+] Dangerous virus tool! [+] Updated maintenance! [+] Easy for beginners! [+] Working virus tool for Termux! Installation process:- Now, before you install infect make sure you update and upgrade Termux. you can use these commands: $ apt-get update $ apt-get upgrade Then, after Termux finishes updating and upgrade, we move to the second step which is to install python. Do it only if you have not yet install python otherwise, you ...
Read more

Hack Pubg account with termux in Android phone

-
Image
PUBG Phishing Tool Termux Hey guys, Most  of  you  guys  who are   commenting    about   how   you   can   Hack   PUBG   Accounts   with Termux,  This   post   is   for   you   because   in   this    Shot   Guide    I   am  gonna   show   you   how   you can    use   a   simple   tool   to   make   PUBG   Phishing  pages in  under  1  minute .  Make  sure  to  follow  the   steps right   and   also    read   the   full   blog    because   I  am gonna   give  you   some  ...
Read more

Cascading Style Sheet (CSS) Injection

-
Image
  Overview Cascading style injection may occcur when user or attacker controlled input is later incorporated without being encoded into the web server response with a style attribute. In other words, the attacker can send input which later is incorporated into the web page the user receives. Discovery Methodology Inject all available parameters of the web page with a searchable string such as the word "CANARY" along with characters generally useful in writing HTML, JavaScript or other code. Search the response carefully noting any location where the test string appears unencoded in a style attribute. These locations may allow Cascading style injection. Hint: An example injection might be <CANARY={}""()'';#$--/>1. Adding a sequencial integer to the test input can help determine which of the inputs parameters resulted in the response string found. Exploitation Determine the prefix and suffix needed to make the injected code "fit" syntatically t...
Read more