Cross-site scripting

Not only in JavaScript

Posted on April 29, 2022

This is notes of YouTube interview on April 29 2022

Credit: Website Hacking Demos using Cross-Site Scripting by David Bombal

Guest: Wesley Thijs, aka XSSrat

Cross-site scripting - XSS

Definition

  • There is not restricted in JavaScript
  • Attackers insert a script in a website with any scripting language

Type

easy to hard

  1. Stored XSS
    • Can be executed by POST request
    • e.g., Blog post comments
  2. Reflected XSS
    • Send a with exploited URL an email to victim
    • Need to social engineering first
  3. DOM-XSS
    • e.g., Client-side JavaScript
    • Get access to the website document object model
      • e.g., Session ID
    • DOM sync

How it works?

Victim get into a trap by going to that target website. The malicious code will be run automatically on client side. For example, a key logger insert into client computer and send all the information from victim device.

Techniques

  • Stripping
    • put XSS to break HTML comment and insert malicious codes
    • --> & " &
    • <script> blah blah blah </script>
    • JavaScript Event handler <img src=x onerror=alert()>
  • Add x-cross-site scripting protection header
  • AngularJS - vulnerable version
    • Insert XSS with ``
  • document.write()
    • one of the DOM-XSS vulnerabilities

News: TweetDuck

Tags: Hacking
Share: Twitter Facebook LinkedIn