what steps would you take to avoid vulnerability to cross-site scripting in your application?
Cantankerous-site scripting
In this section, we'll explain what cantankerous-site scripting is, describe the unlike varieties of cross-site scripting vulnerabilities, and spell out how to find and prevent cross-site scripting.
What is cross-site scripting (XSS)?
Cantankerous-site scripting (besides known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. It allows an attacker to circumvent the aforementioned origin policy, which is designed to segregate different websites from each other. Cross-site scripting vulnerabilities commonly allow an attacker to masquerade as a victim user, to carry out any actions that the user is able to perform, and to access any of the user'south data. If the victim user has privileged admission inside the application, then the attacker might exist able to gain full control over all of the awarding's functionality and data.
How does XSS work?
Cross-site scripting works by manipulating a vulnerable web site so that information technology returns malicious JavaScript to users. When the malicious code executes within a victim's browser, the assaulter can fully compromise their interaction with the application.
Labs
If you're already familiar with the basic concepts behind XSS vulnerabilities and just want to practice exploiting them on some realistic, deliberately vulnerable targets, you can access all of the labs in this topic from the link beneath.
View all XSS labs
XSS proof of concept
Y'all can ostend most kinds of XSS vulnerability past injecting a payload that causes your own browser to execute some arbitrary JavaScript. Information technology'south long been common practice to use the alert()
function for this purpose because it's short, harmless, and pretty hard to miss when it's successfully called. In fact, you solve the majority of our XSS labs by invoking alarm()
in a fake victim's browser.
Unfortunately, there's a slight hitch if you lot utilise Chrome. From version 92 onward (July 20th, 2021), cross-origin iframes are prevented from calling alert()
. As these are used to construct some of the more advanced XSS attacks, you'll sometimes demand to employ an culling PoC payload. In this scenario, we recommend the print()
function. If you're interested in learning more than near this change and why we like print()
, check out our blog post on the subject.
Every bit the simulated victim in our labs uses Chrome, we've amended the affected labs so that they can besides be solved using print()
. We've indicated this in the instructions wherever relevant.
What are the types of XSS attacks?
At that place are three main types of XSS attacks. These are:
- Reflected XSS, where the malicious script comes from the current HTTP request.
- Stored XSS, where the malicious script comes from the website's database.
- DOM-based XSS, where the vulnerability exists in client-side code rather than server-side code.
Reflected cross-site scripting
Reflected XSS is the simplest variety of cross-site scripting. It arises when an application receives data in an HTTP request and includes that data inside the immediate response in an unsafe way.
Here is a unproblematic instance of a reflected XSS vulnerability:
https://insecure-website.com/status?message=All+is+well. <p>Status: All is well.</p>
The application doesn't perform whatsoever other processing of the data, so an attacker can easily construct an attack similar this:
https://insecure-website.com/status?message=<script>/*+Bad+stuff+here...+*/</script> <p>Status: <script>/* Bad stuff here... */</script></p>
If the user visits the URL constructed by the assaulter, then the attacker'south script executes in the user'southward browser, in the context of that user'due south session with the application. At that point, the script can comport out any action, and retrieve any information, to which the user has access.
Stored cross-site scripting
Stored XSS (also known every bit persistent or second-social club XSS) arises when an application receives data from an untrusted source and includes that data within its afterward HTTP responses in an dangerous way.
The data in question might exist submitted to the application via HTTP requests; for instance, comments on a blog post, user nicknames in a chat room, or contact details on a client gild. In other cases, the data might arrive from other untrusted sources; for case, a webmail application displaying messages received over SMTP, a marketing application displaying social media posts, or a network monitoring application displaying packet data from network traffic.
Here is a simple case of a stored XSS vulnerability. A bulletin board awarding lets users submit messages, which are displayed to other users:
<p>Hello, this is my message!</p>
The application doesn't perform any other processing of the information, then an attacker can easily send a bulletin that attacks other users:
<p><script>/* Bad stuff hither... */</script></p>
DOM-based cross-site scripting
DOM-based XSS (likewise known equally DOM XSS) arises when an application contains some client-side JavaScript that processes data from an untrusted source in an unsafe mode, ordinarily by writing the information dorsum to the DOM.
In the following example, an application uses some JavaScript to read the value from an input field and write that value to an element within the HTML:
var search = certificate.getElementById('search').value; var results = certificate.getElementById('results'); results.innerHTML = 'You searched for: ' + search;
If the aggressor can control the value of the input field, they can easily construct a malicious value that causes their own script to execute:
You searched for: <img src=1 onerror='/* Bad stuff here... */'>
In a typical instance, the input field would be populated from part of the HTTP request, such every bit a URL query string parameter, allowing the attacker to deliver an assault using a malicious URL, in the aforementioned manner equally reflected XSS.
What can XSS exist used for?
An attacker who exploits a cross-site scripting vulnerability is typically able to:
- Impersonate or masquerade as the victim user.
- Conduct out any action that the user is able to perform.
- Read any data that the user is able to access.
- Capture the user'south login credentials.
- Perform virtual defacement of the spider web site.
- Inject trojan functionality into the web site.
Affect of XSS vulnerabilities
The actual bear on of an XSS assault generally depends on the nature of the application, its functionality and data, and the condition of the compromised user. For example:
- In a brochureware application, where all users are anonymous and all information is public, the impact will often be minimal.
- In an awarding belongings sensitive data, such as banking transactions, emails, or healthcare records, the impact will usually be serious.
- If the compromised user has elevated privileges inside the application, then the impact volition by and large exist critical, allowing the attacker to have total command of the vulnerable application and compromise all users and their data.
How to find and test for XSS vulnerabilities
The vast majority of XSS vulnerabilities tin can be plant quickly and reliably using Burp Suite'due south spider web vulnerability scanner.
Manually testing for reflected and stored XSS usually involves submitting some simple unique input (such every bit a short alphanumeric cord) into every entry point in the awarding, identifying every location where the submitted input is returned in HTTP responses, and testing each location individually to decide whether suitably crafted input can be used to execute arbitrary JavaScript. In this way, you tin determine the context in which the XSS occurs and select a suitable payload to exploit it.
Manually testing for DOM-based XSS arising from URL parameters involves a similar procedure: placing some elementary unique input in the parameter, using the browser'due south developer tools to search the DOM for this input, and testing each location to decide whether it is exploitable. However, other types of DOM XSS are harder to detect. To find DOM-based vulnerabilities in non-URL-based input (such every bit document.cookie
) or non-HTML-based sinks (similar setTimeout
), at that place is no substitute for reviewing JavaScript lawmaking, which tin can be extremely time-consuming. Burp Suite'due south spider web vulnerability scanner combines static and dynamic assay of JavaScript to reliably automate the detection of DOM-based vulnerabilities.
Content security policy
Content security policy (CSP) is a browser mechanism that aims to mitigate the bear on of cantankerous-site scripting and some other vulnerabilities. If an application that employs CSP contains XSS-like behavior, then the CSP might hinder or forbid exploitation of the vulnerability. Often, the CSP can exist circumvented to enable exploitation of the underlying vulnerability.
Dangling markup injection
Dangling markup injection is a technique that can be used to capture data cantankerous-domain in situations where a total cross-site scripting exploit is not possible, due to input filters or other defenses. It tin can often be exploited to capture sensitive information that is visible to other users, including CSRF tokens that tin be used to perform unauthorized actions on behalf of the user.
How to prevent XSS attacks
Preventing cross-site scripting is little in some cases only can exist much harder depending on the complexity of the awarding and the means it handles user-controllable data.
In full general, effectively preventing XSS vulnerabilities is likely to involve a combination of the following measures:
- Filter input on arrival. At the indicate where user input is received, filter as strictly equally possible based on what is expected or valid input.
- Encode information on output. At the bespeak where user-controllable information is output in HTTP responses, encode the output to prevent information technology from existence interpreted as active content. Depending on the output context, this might require applying combinations of HTML, URL, JavaScript, and CSS encoding.
- Employ appropriate response headers. To prevent XSS in HTTP responses that aren't intended to comprise any HTML or JavaScript, you can utilise the
Content-Type
andX-Content-Type-Options
headers to ensure that browsers interpret the responses in the way you lot intend. - Content Security Policy. As a final line of defense, you can use Content Security Policy (CSP) to reduce the severity of any XSS vulnerabilities that withal occur.
Common questions about cross-site scripting
How common are XSS vulnerabilities? XSS vulnerabilities are very common, and XSS is probably the most frequently occurring spider web security vulnerability.
How common are XSS attacks? It is difficult to become reliable data about existent-earth XSS attacks, but it is probably less frequently exploited than other vulnerabilities.
What is the departure between XSS and CSRF? XSS involves causing a web site to return malicious JavaScript, while CSRF involves inducing a victim user to perform actions they practice non intend to do.
What is the difference between XSS and SQL injection? XSS is a client-side vulnerability that targets other application users, while SQL injection is a server-side vulnerability that targets the application'due south database.
How do I prevent XSS in PHP? Filter your inputs with a whitelist of allowed characters and use type hints or blazon casting. Escape your outputs with htmlentities
and ENT_QUOTES
for HTML contexts, or JavaScript Unicode escapes for JavaScript contexts.
How do I prevent XSS in Java? Filter your inputs with a whitelist of allowed characters and use a library such as Google Guava to HTML-encode your output for HTML contexts, or use JavaScript Unicode escapes for JavaScript contexts.
Source: https://portswigger.net/web-security/cross-site-scripting