Understanding XSS attack
Cross-Site Scripting (XSS) attack is one of the most important security risks in web applications described in the OWASP top ten. These faults occur when untrusted data without proper validation is inserted into an application. They use user’s input fields as entry points. The browser interprets this data as part of the application. Therefore, it’s constituted as a client-side attack. XSS allows attackers to execute scripts in the victim’s browser. This way it can hijack user sessions, destroy websites, direct the user to a malicious site, deny service, obtain confidential information, privilege escalation, etc.
To know more about secutiry risks in web applications, read OWASP: Top 10 Project for Applications Security
Non-persistent XSS attacks or reflected XSS do not store the malicious code on the server. It passes and presents it directly to the victim. It is the most popular method of XSS attack. The attack is launched from an external source, via email or a third party site.
The malicious code has already passed the barrier of the validation process and is stored in a data store. It can be any type of section of the website that requests input to the user a comment. Like a log file, a notification message, a script file, etc. When this particular information is presented on the website, the malicious code is executed.
DOM-based XSS is an advanced type of XSS attack. It takes place when the web application writes user-provided data to the Document Object Model (DOM) from the client-side scripts.
In reflective and stored Cross-site scripting attacks, you can see the vulnerability payload on the response page. In DOM-based cross-site scripting, the HTML source code and response of the attack will be the same. I.e. the payload cannot be found in the response. It can only be observed at runtime or by investigating the DOM of the page.
The most dangerous part of DOM-based XSS is that is a client-side attack. But also, the attacker’s payload is never sent to the server. This complicates the detection of the attack for Web Application Firewalls (WAFs) and security engineers. They analyze the server’s logs and won’t even see the attack.
Finding Cross-Site Scripting Vulnerabilities
By understanding what XSS is, we can start to find this vulnerability in our application. In this opportunity, we explain “black box testing.” It is about injecting a string containing characters that have special meaning in HTML, into some parameter of an HTTP request. We are going to follow several steps to find XSS vulnerabilities in our application.
For this reason, we need to intercept the HTTP requests that the Web browser makes before they are sent. And modify them to inject our XSS test. Using a proxy that intercepts and scans traffic will help us identify problems. Example tools include Burp Proxy and ratproxy.
The second step is to identify all fields that allow user input for each page. This includes hidden or non-obvious inputs such as HTTP parameters, POST data, hidden form field values, and predefined radio or selection values.
In the third step, we need to select input data, to insert into the fields that were identified in the previous step. Generally, we use specially crafted input data.
Some examples of this input data could be:
For example: if we insert the string
“"'><script>alert(‘XSS')</script>” and our application doesn’t correctly escape this string, we will see an alert and know that something went wrong.
The best protection for XSS is a combination of whitelist validation of all incoming information and proper coding of outgoing information. The validation allows the detection of attacks. The coding prevents any injection of a script from running successfully in the browser.
Further reading on security for web applications by clicking on Successful and Reliable Applications