XSS Attack

User session hijacking | Unauthorized activities | Capturing Keystrokes | Stealing critical information | Phishing Attack

XSS — Cross Site Scripting Attack

It is a type of security vulnerability which occurs when an attacker injects malicious scripts into web pages viewed by other users. These scripts can then execute in the browsers of unsuspecting users, leading to various unintended activities such as stealing cookies or sensitive information.

Fig 1: XSS Attack

Example 1: Session Hijacking Vulnerability

Fig 2: Vulnerable code

Fig 3: Cookie

Here, a cookie is set to the application. The URL param(name) can be manipulated to execute some script and send cookie to attackers endpoint.

Fig 4: The parameter is first encoded using `encodeURIComponent()` and then passed in the URL to handle special characters.

URL Param: “?name=[Encoded_URI_Component]”

In the absence of the ‘img src’, the ‘onerror’ part will execute, resulting in the cookie being sent to the attacker’s endpoint.

Fig 5: Cookie is sent to attackers' endpoint (Request URL)

Example 2: Unauthorized Activities Vulnerability

Sometimes it happens that posts are created with our account without our knowledge or action.

Fig 6: Vulnerable code

URL Param: “?name=<img src=“error.gif” onerror=“createPost(‘HACK_TITLE’, ‘HACK_DESCRIPTION’);” />”

In the absence of the ‘img src’, the ‘onerror’ part will execute, resulting in the creation of a post because we didn’t handle the user input properly, and the request went from our system.

Fig 7: Payload

Fig 8: Endpoint where post will be made

Example 3: Capturing keystrokes

Fig 9: Vulnerable code

Fig 10: The parameter is first encoded using `encodeURIComponent()` and then passed in the URL to handle special characters.

URL Param: “?name=[Encoded_URI_Component]”

All the keystrokes are monitored and taken to the attackers’ endpoint

Fig 11: Keystrokes Monitored

Fig 12: Endpoint where keystrokes sent

Example 4: Stealing critical information

Sending Entire content / DOM (Which can have any kind of information) to some URL

Fig 13: Vulnerable code

Fig 14: The parameter is first encoded using `encodeURIComponent()` and then passed in the URL to handle special characters.

URL Param: “?name=[Encoded_URI_Component]”

Entire content of the page is sent to attackers’ endpoint

Fig 15: Entire content sent to Attackers’ endpoint

Example 5: Phishing Attack

Fig 16: Vulnerable code

Fig 17: The parameter is first encoded using `encodeURIComponent()` and then passed in the URL to handle special characters.

URL Param: “?name=[Encoded_URI_Component]”

It will open up a form, from where login details will be sent to some fake endpoint

Fig 18: Hitting URL will open up login form

Fig 19: Login details will be sent to fake endpoint

Mitigation

• Taking care of all the user input
• Use innerText | textContent instead of innerHTML

• Escaping

Replacing special characters with some code so that it won’t get executed as it is considered as text not as DOM element

• Using Library like React

{name} — considered as text instead of DOM element

• Sanitize data using libraries like DOM Purify

• CSP Headers (Content Security Policy)

Allowed Sources | Script Nonces | Report-only mode

In following example 3rd party sites are blocked through CSP Headers

Thank you for reading!!