XSS Attack
User session hijacking | Unauthorized activities | Capturing Keystrokes | Stealing critical information | Phishing Attack
XSS — Cross Site Scripting Attack
It is a type of security vulnerability which occurs when an attacker injects malicious scripts into web pages viewed by other users. These scripts can then execute in the browsers of unsuspecting users, leading to various unintended activities such as stealing cookies or sensitive information.
Example 1: Session Hijacking Vulnerability
Here, a cookie is set to the application. The URL param(name) can be manipulated to execute some script and send cookie to attackers endpoint.
URL Param: “?name=[Encoded_URI_Component]”
In the absence of the ‘img src’, the ‘onerror’ part will execute, resulting in the cookie being sent to the attacker’s endpoint.
Example 2: Unauthorized Activities Vulnerability
Sometimes it happens that posts are created with our account without our knowledge or action.
URL Param: “?name=<img src=“error.gif” onerror=“createPost(‘HACK_TITLE’, ‘HACK_DESCRIPTION’);” />”
In the absence of the ‘img src’, the ‘onerror’ part will execute, resulting in the creation of a post because we didn’t handle the user input properly, and the request went from our system.
Example 3: Capturing keystrokes
URL Param: “?name=[Encoded_URI_Component]”
All the keystrokes are monitored and taken to the attackers’ endpoint
Example 4: Stealing critical information
Sending Entire content / DOM (Which can have any kind of information) to some URL
URL Param: “?name=[Encoded_URI_Component]”
Entire content of the page is sent to attackers’ endpoint
Example 5: Phishing Attack
URL Param: “?name=[Encoded_URI_Component]”
It will open up a form, from where login details will be sent to some fake endpoint
Mitigation
- Taking care of all the user input
- Use innerText | textContent instead of innerHTML
- Escaping
Replacing special characters with some code so that it won’t get executed as it is considered as text not as DOM element
- Using Library like React
{name} — considered as text instead of DOM element
- Sanitize data using libraries like DOM Purify
- CSP Headers (Content Security Policy)
Allowed Sources | Script Nonces | Report-only mode
In following example 3rd party sites are blocked through CSP Headers
Thank you for reading!!