Crossing Scripts – XSS

Injections. SQL Injections. Cross-site Scripting (hence the amazing title “Crossing Scripts – XSS”).

There all sorts of Injection-Based attacks, if you want to read about them in general, go here, but, if Cross-site Scripting (XSS) is what you are looking for, then read on!

XSS, which is the acronym for Cross-site Scripting, like SQL injections, is one of the most common and dangerous types of attacks these days, and they are placed third inside the AO3 in the OWASP top ten list, which illustrates the severity of these attacks.

XSS is an attack against a web surfer, user, exploited by vulnerabilities in web applications, which allows the attacker to inject malicious scripts that aims to run in the browsers of other system users, while executing the code, the attacker could perform actions on behalf of the user, by exploiting restrictions in the HTTP protocol and even steal the user’s ID!

Exploiting these vulnerabilities consists of finding ways to inject malicious code, that is being “Processed” as valid input into pages belonging to other domains, thereby giving the vulnerability exploiter access to sensitive information located in these sites.

Such attacks can lead to :

  • Intercept user’s input.
  • theft of vital and sensitive information such as credit card information or passwords.
  • impersonation of a particular person or service, which could lead to phishing attacks.

Types of XSS :

  • Persistent/Stored XSS – probably the most dangerous type of XSS, in this case, once the malicious string is saved in the database, there is a situation where the site can “Infect” users who are making some sort of interaction with the database.
  • Reflected XSS – also called “Temporary XSS”, this is probably the most common type of XSS, in this case, the malicious string, or code, is being inserted by the user in some sort of an input, this input is not being validated properly, thus, causing it to being “processed” like it was.
  • DOM based XSS – also known as “Local XSS”, exists mostly on a a client-side script that uses the input to generate an HTML page, without validating if it contains a malicious code or not, for example, a JavaScript code that receives a web address as input, and uses it to generate an HTML page, without making sure that the address itself does not contain code, will contain “Local XSS”.

Let’s look at an example :

This is a website called “XSS Game” designed by google for practicing :

This is the first task :

Now, let’s insert a line of code instead of the expected input :

We insert an input, supposed to be valid, but it is not being checked properly, and in the processing stage, it will be processed as a command instead, allowing you to initiate and edit changes :

Stay safe, choose Kayran.

Passwords 101

Unlike basketballs, “passwords” are things we don’t want to be passed around, especially in a society built around the idea that “mystery” is appealing. We

Read More »

Blue Team

We’ve talked about The Red Team before, but what about The Blue Team? How is this group different from the red one? Why would we

Read More »