Disclaimer: This post is for research and educational purposes only. I do not take any responsibility, in regards to the actions taken by readers of this article. Never attempt to hack a device for which you do not have the required permissions to do so.

I was always interested in hacking web applications, but never got around it. Personally, i don’t really like web development that much. Anyways, its about time i got my hands into web hacking, i might even try bug bounty someday.

What is Cross Site Scripting (XSS)?

Cross-site scripting (XSS) is an attack by code injection that enables an attacker to execute JavaScript in another user’s browser. The attacker is not directly targeting his/her victim. Instead, he/she exploits a flaw in a website that the victim visits, via JS code injection. This malicious code appears to be a legitimate part of the website. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.

If an attacker can use your website to execute arbitrary JavaScript in another user’s browser, the security of your website and its users has been compromised.

excess-xss

How does Cross Site Scripting (XSS) work?

Let us do a fun exercise. First try it here on your own, if you can’t, then come back here and look at the solution.

Our job is too inject JS code, which creates a popup.

We can do that be injecting this piece of code into the search bar or any entry point.

<script>alert("POP")</script>

and when i enter that in the search box this happens:

As you can see i made the website do something that it wasn’t supposed to by injecting code into it.

How can Cross Site Scripting (XSS) be harmful?

An attacker who exploits a cross-site scripting vulnerability is typically able to:

  • Impersonate as the victim user by stealing their cookies and session ID.
  • Crypto Mining.
  • Geo-Location
  • Redirecting to another web page.
  • Carry out any action that the user is able to perform.
  • Read any data that the user is able to access.
  • Able to inject key loggers.
  • Capture the user’s login credentials by Phishing.
  • Is able to deface the web site.
  • Inject a Malware into the web site.
Advertisements

Now that you have a basic understanding on how Cross Site Scripting Works and its effects, we will now move on to understanding the different types of Cross Site Scripting types.

Reflected Cross Site Scripting (XSS)

Reflected Cross Site Scripting XSS attacks, also known as non-persistent attacks, occur when a malicious script is reflected off of a web application to the victim’s browser. The script is activated through a link, which sends a request to a website with a vulnerability that enables execution of malicious scripts. The vulnerability is typically a result of incoming requests not being validated properly. This type of XSS isn’t as dangerous as the others on the list, but still it is a major security issue for the websites users.

Basically, this type of attack only affects the user and not the website itself. The mini exercise you did earlier was an example of Reflected Cross Site Scripting. If you refresh the page the alert will not be there anymore, since it only affects the user and is not stored on the server.

So how do attackers use this vulnerability to their advantage?

Normally, they would attach the malicious script at the end of the URL. Then they will use link shorting services to mask the <script> tags, so that the target is not alerted by seeing a really long URL. That being said, in order for the attack to be successful, the user needs to click on the infected link.

In the figure above, an attacker sends a URL to the victim with malicious JS embedded into it, for illustration purposes <script>document.cookie</script> will return your cookie data and session ID, this sensitive data will be then sent back to the attackers server. So as the victim clicks on the link, he automatically requests the website to send his cookie information, as the information is returned to the victim, it is also being redirected back to the attacker. Now, the attacker can impersonate as the victim on that particular website.

There are two common ways of launching a reflected XSS attack:

  • The attacker targets a specific individual, the attacker can send the malicious URL to the victim via e-mail or instant messaging, for and trick him/her into visiting it.
  • The attacker targets a large group of people, the attacker can publish a link to the malicious URL on his own website or on a social network, and wait for people to click it.

Now let see a few more examples:

1)Low Security

In the above figure, we are going to insert

 <script>alert("Hacked")</script> 

into the search bar.

this is the output:

Therefore it has a XSS vulnerability.

2) Medium Security

Now lets try the same piece of code over here, this is the output we get:

It seems that, our input is being sanitized, so lets try something creative, this time we will use a nested script tag. Our code will be

<scr<script>ipt>alert("Hacked Again")</script>

Therefore it has a XSS vulnerability.

3)High Security

We really need to get creative here because our previous techniques wont work anymore.

So this is what we are going to do:

<img src=x onMouseOver=alert("HACKER")>

Now whenever we move out mouse to the image area next to hello, we get a pop up.

Therefore it has a XSS vulnerability.

I hope you learnt something from this guide today. In due time, i will be uploading Part 2 which will cover Persistent XSS and DOM XSS.