In this article, we will talk about a web security vulnerability called XSS and it’s reasons, how to exploit it as well as how to prevent it.
Things You Can Do Using the XSS Vulnerability
- You can steal cookie data.
- The website can be linked to another website.
- You can run harmful codes from different servers.
- It may be of work as a Keylogger.
XSS Vulnerability divides into 3 types:
- Reflected XSS: This type of XSS is temporary because website database wont store the inputs (malware codes) used by the attacker.
- Stored XSS: In this type, inputs (the malware codes) will be stored in the database so each time you view the website: the codes will run.
- DOM (Document Object Model) XSS: This one is a little more different, the client does the whole process. It’s difference is that the main server will not be aware of this attack.
XSS Exploitation Techniques
To exploit this vulnerability, we use malware codes called payloads.Let’s look at the examples now.
1- Reflected XSS:
As you can see, there’s an input area in the website. Let’s give a value to the input area and see what happens first. I’ll write “kernelblog” as an example.
The I used is printed now. It says there’s no results for “kernelblog” as you can see. Now let’s input a malware code (payload) in the area.
After I input the malware code I click the search button and there’s an alert box coming from the website. This alert box means that there’s a XSS vulnerability in this website.
2- Stored XSS:
Now we have a forum page on our hands. In here, our input area is the comments section. Let’s start by commenting on here first.
After that, let’s select our comment and click “examine”
As you can see our comment is in the source codes of the webstie now and anybody who is in the website can see it now. That’s why if we can run a malware code here, this will be stored XSS. Because the database will store the value we give it. Now let’s send our malware code as a comment here.
But after I did this, I only saw an empty comment block and any alert box didn’t come up either. I’ll delete a part of the code, assuming that this code has been blocked in the comment section. Then we’ll try another code.
The payload you see above is actually incomplete. By sending this part of the code, I just want to see if the rest of it works. Let’s send it as a comment.
As you can see with the payload we sent, a shapeless image appeared in the comment section. The reason why it’s that way is because of the code. Now let’s finish the malware code now we confirmed the rest of it is working.
I’m writing the malware code and sending it as a comment.
And we got the alert box we want!
3- DOM XSS
Now we’re seeing a site with images. But even if I go to other images, I can’t see an input area. Fortunately, there’s something else worth looking into here, which is the “URL”. I see a # mark in the URL and now I’m thinking if I can use DOM XSS on this page. First of all, let’s try putting a malware code at the end of the URL and see what happens.
Let’s press enter.
We didn’t get an alert box this time, let’s try the other code then.
We didn’t get an alert box again. The information I’ll be giving you next is a bit detailed. I’ll write it in anoter article where I talk about making payloads for XSS vulnerability and waf bypassing. Though I’ll only briefly talk about it now is the time for it.
I tried to different payloads but both of them didn’t work. Let’s try putting an apostrophe (‘) at the start of the second payload.
As you can see we got the alert box we were looking for.
Ways to Prevent XSS Vulnerability
- You can use the blacklist method. As example, you can blacklist the characters such as < , > , / , = which are used in exploiting XSS vulnerability.
- Whitelist can also be used. This method will let you see the data you need only.
- You should use WAF