Cross-Site Scripting (XSS) Introduction

 

Cross-Site Scripting (XSS) Introduction

Note** The following examples utilize Web for Penetration Testers which I do not own any rights to. These examples provide solutions to the live image of Web for Pentester 1 which can be downloaded at https://pentesterlab.com/exercises/web_for_pentester/course. Please attempt these exercises on your own before reviewing my solutions to gain maximum benefit.

 

Introduction

XSS is an often-overlooked vulnerability. The generic “Hello World” example of XSS (e.g. <script>alert(“XSS”);</script>) is an overly benign example. Once an XSS vulnerability is discovered it becomes possible for attackers to modify the webpage to re-direct users to malicious site, steal a user’s session or cookie, or bypass a log in.

Because XSS is such a huge topic, a series will be developed with exploitations to follow. For this blog article, XSS detection will be focused on. Eventually this series will cover JSON, XML, XPath, JQuery, and other types of injections which are like XSS.

XSS Types

XSS can be broadly categorized into client side (e.g. browsers, connecting computers, etc.) and server side (e.g. web server, database, server log files, etc.) attacks. They can be further categorized in Reflected, DOM and Stored XSS though these definitions can become confusing as they overlap each other. OWASP provides an excellent explanation of each type of XSS in the link below:

https://owasp.org/www-community/Types_of_Cross-Site_Scripting

XSS Detection  

Pentester Lab 1 XSS example 6 will be used as an example for how XSS can be detected. Before detection can begin it is a good idea to see if your browser has any XSS prevention features and disable them. Browsers such as IE and Chrome will attempt to prevent XSS; in this example the Firefox browser is used.

Press F12 to bring up the browser console and attempt to enter the following address below in the browser:

http://<ipv4>/xss/example1.php?name=<script>console.log(“XSS”)</script>

You will likely get the following response below:

Looking at the above image you can see there is an unexpected token Syntax Error. This is an excellent clue to the XSS evasion that is being implemented. Pressing “Ctrl+u” on the page reveals the page’s source code. A search could be performed on “XSS” will bring us to the line in the source code:

It looks like user input is being set to variable “a” and this variable is getting wrapped in a script. We can attempt to close this line off and comment out any additional code with the following line:

http://<ipv4>/xss/example6.php?name=</script><script>console.log(“XSS”);</script>//

When we send this GET request to the site, we see the XSS message appear in the browser console. Note the developer console’s Inspector, Console, and Network tabs are useful when detecting XSS vulnerabilities. The Linux terminal command curl can also be useful for detecting and exploiting XSS vulnerabilities and could be added in a python script (article on this later).

Developers will sometimes try to be clever by suppressing certain characters or tags as seen in the Pentesters Lab source code for example 3:

$name = preg_replace(“/<script>/i”,””,$name);

$name = preg_replace(“/</script>/i”,””,$name);

In this example tries to suppress the opening and closing script tags. Fortunately (or unfortunately if you’re the developer) this can be easily circumvented by using other tags such as the BODY tag:

 http://<ipv4>/xss/example3.php?name=<BODY onload=alert(1);

Blacklisting tags such as <script> or events such as “alert” is generally a bad idea for preventing XSS as they can easily be maneuvered around with other tags or events. It’s normally better to instead develop a whitelist of characters that’ll be used in the site and then work with suppressing XSS with those necessary characters. XSS is particularly difficult to prevent though, an article on XSS prevention will come later.

There are many brute force methods for detecting XSS and the following sites can help in developing a script for these brute-force attempts:

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20Injection#xss-in-files

https://owasp.org/www-community/xss-filter-evasion-cheatsheet

BeEF is also a great tool for detecting and exploiting XSS vulnerabilities and will be used in a subsequent article.

Conclusion

You may be asking yourself at this point, “So what? I found a vulnerability in some page source code and was able to reflect text to a console. How would this be beneficial in compromising a site?” This is where the HTML DOM objects comes into play. Payloads such as document.cookie, window.location.href, and other objects could be used to steal session cookies or re-direct users to malicious sites.

 

References

maxrodrigo. (2020). PayloadsAllTheThings. Retrieved from

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20Injection#xss-in-files

OWASP. (2020). Types of XSS. Retrieved from

https://owasp.org/www-community/Types_of_Cross-Site_Scripting

OWASP. (2020). XSS Filter Evasion Cheatsheet. Retrieved from

            https://owasp.org/www-community/xss-filter-evasion-cheatsheet

W3Schools. (2020). HTML DOM. Retrieved from w3schools.com

Comments

Post a Comment

Popular posts from this blog

Covering Your Tracks

The ability to remain stealth during a penetration exercise is what separates a sophisticated hacker from a script kitty. The phrase “The Quieter You Become, The More You Are Able to Hear” holds true, especially in the field of hacking. Being able to perform Ani-forensics and avoid detection is critical to the success of hacking and penetration testing and understanding these methods is beneficial, even for white hat hackers, as there will be times in a penetration where the system is already compromised. In such cases, understanding what the attacker is doing in order to cover their tracks can help determine the sophistication of the attack or bring prosecution to the attacker. All hacks begin with system enumeration and nmap is one of the best tools to use during this discovery phase. However, as I explained in Scanning With nmap blog, port scanning a bunch of IP Addresses or every port on a target system is noisy and can cause denial of service conditions (very bad if you are ...
Read more

LDAP Vulnerabilities

Image
Note** The following examples utilize Web for Penetration Testers which I do not own any rights to. These examples provide solutions to the live image of Web for Pentester 1 which can be downloaded at https://pentesterlab.com/exercises/web_for_pentester/course . Please attempt these exercises on your own before reviewing my solutions to gain maximum benefit.   Web for Penetration Testers Example 1 Lightweight Directory Access Protocol (LDAP) can be thought of as a hierarchical directory structure. Using the live iso of Web for Pentester 1 lab we can find that Open LDAP service is running by running performing a nmap scan from our kali box (attacking machine): Figure 1 Using the ldapsearch command with the -b (base dn [top of hierarchy in this case]) -LLL (print responses in LDIF format without comments or version) and -x (simple authentication) flags (-h specifies the host) from our kali box (see Figure 2), we see that there are three common names (cn) entries: admin, ...
Read more

Setting Up a Proxy to Protect Your Public IP (An Introduction to Proxies)

Image
I recently purchased a static IP address. While this is great for setting up VPNs, websites, and other major benefits it bothered me that I normally visit CTFs and sites that contain malicious code to accomplish these CTF challenges. There had to be a way I could better protect my public IP from direct exposure in the event I did something stupid while surfing the web. This is where a proxies come into play. A proxy is exactly the same thing meant in the English language; think if computer A who set up the proxy wants to talk to computer C. An intermediary could be introduced (Proxy Server B) so that when computer C talks to computer A it has to go through Proxy Server B. Thus Computer C thinks its talking to Proxy Server B and only sees that IP address; when in reality all traffic is getting forwarded to computer A and vise versa. This creates a layer of abstraction. There are many types of proxies such as reverse proxies which is used mainly for public facing web sites. We are strict...
Read more