CROSS SITE SCRIPTING (XSS)

Cross-site scripting (XSS) is a script injection attack using which an attacker can execute malicious JavaScript in another user's browser. User’s browser does not understand that the script should not be trusted, and execute the script.

 The malicious script can access any cookies, session tokens, and sensitive information retained by the browser and used in that site. Cross-Site Scripting (XSS) attacks occur when:

1. Data enters a Web application through an untrusted source, most frequently a web request.
2. The data is included in dynamic content that is sent to a web user without being validated for malicious content.

Types of XSS

XSS can be of many form as per there impact over the website. Following t=are the types of XSS:

• Stored XSS- In this the injected script gets permanently stored on the target servers like database, forum, log, comment, etc.
• Reflected XSS- Occurs only when the payload injected echoed back to user by opening a link to a vulnerable website with a crafted input.
• DOM Based XSS- In this the payload is executed due to modifying the DOM “environment” in the user’s browser used by the client side script, thus the client side code runs in an “unexpected” manner.

XSS flaw is difficult to identify and remove from a web application.

To minimise such effect always perform a security review of the code and search for all places in which input from an HTTP request could possibly make its way.

To know more about XSS go through OWASP TOP 10 2017 and also go through given link for reference https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

Lets go through how XSS happens and we can test. For practice you can go through DVWA or WebGoat or even join few online sites for practice.

Impact of XSS
XSS can cause a variety of problems like:

• Complete account compromise.
• Disclose of the user’s session cookie, allowing an attacker to hijack the user’s session.
• Disclose of end user file installation of Trojan horse programs, redirect the user to some other page or site.
• An XSS vulnerability on a pharmaceutical site could allow an attacker to modify dosage information resulting in an overdose. 

How to do XSS testing for vulnerability analysis:

   Go to link http://leettime.net/xsslab1 and start testing

    Start the test by clicking on the Bring it on, and then start the challenge-1.

   On viewing source code we get to find that we can easily inject scripts in the search box.

   We used simple script used by many beginners <script>alert(0)</script> in the search box. You can also input it into name= <script>alert(0)</script> into the URL also.

   So on executing code we get a popup we need to provide.

    As per the need to complete challenge instead of 0 use document.URL. 

   On going for further round in challenge-2 we came across implementing new script as per the need.

   Now on viewing source code we get to know what kind of change we need in the script. The script we used is ><script>alert(document.URL)</script> .

   On going for round in challenge-3 we came across new way of performing XSS.

   Now on viewing source code we get to know what kind of change we need in the script. The script we used is “><script>alert(document.URL)</script> .

   On going for round in challenge-4 we came across new way of performing XSS.

   Now on viewing source code we get to know what kind of change we need in the script. The script we used is ‘><script>alert(document.URL)</script> .

   On going for round in challenge-5 we came across new way of performing XSS.

    Now on viewing source code we get to know what kind of change we need in the script. The script we used is “;</script><script>alert(document.URL)</script> .

   On going for round in challenge-6 we came across new way of performing XSS.

    Now on viewing source code we get to know what kind of change we need in the script. The script we used is ‘;</script><script>alert(document.URL)</script> .

   On going for round in challenge-7 we came across new way of performing XSS. But normal script doesn’t work on it. So we go for Case conversion(like ScRiPT) or we can use different set of payload like onmouseover.

    Now on viewing source code we get to know what kind of change we need in the script. The script we used is ‘onmouseover=”alert(document.URL)” .

    On going for round in challenge-8 we came across new way of performing XSS. But normal script doesn’t work on it. So we go for different set of payload like onmouseover.

    Now on viewing source code we get to know what kind of change we need in the script. The script we used is &submit=search“onmouseover=”alert(document.URL) .

MITIGATION

·          Never Insert Untrusted Data Except in Allowed Locations.

·          HTML Escape before Inserting Untrusted Data into HTML Element Content.

·          JavaScript Escape before Inserting Untrusted Data into JavaScript Data Values.

·          CSS Escape And Strictly Validate Before Inserting Untrusted Data into HTML Style Property Values.

·          RL Escape before Inserting Untrusted Data into HTML URL Parameter Values.

·          Sanitize HTML Markup with a Library Designed for the Job.

·          Use HTTPOnly cookie flag.

·          Use the X-XSS-Protection Response Header.

For more mitigation consider the following URL for Reference: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet