Cross-site Scripting (XSS) An overview of the three main types of Cross-site Scripting (XSS) attacks, Reflected, Stored & DOM Based. Introduction This document provides an overview of the three main types of XSS attacks. Giving a clear definition with detailed diagrams explaining clearly how the attack takes place. A useful resource for web developers or web app security assessment companies. What is XSS (Cross-site Scripting) What is XSS? Cross-site scripting also known as XSS is a Client Side attack where code is executed in the victims browser either from injecting JavaScript into a web application and having a victim visit the vulnerable URL. Or, by directly tricking a user into clicking a link with a payload crafted into the URL. The three main types of Cross-site Scripting: Reflected XSS, Stored XSS and DOM Based XSS are documented below. Different Types of XSS Explained Stored XSS Definition Stored XSS, occurs when user supplied input is stored and then rendered within a web page. Typical entry points for stored XSS are: message forums, blog comments, user profiles and username fields. An attacker typically exploits this vulnerability by injecting XSS payloads on popular pages of a site or passing a link to a victim, tricking them into viewing the page that contains the stored XSS payload. The victim visits the page and the payload is executed client side by the victims web browser. Stored XSS is also known as persistent cross-site scripting or persistent XSS. Stored XSS Attack: Basic Example The diagram below assumes the attacker has already discovered a stored cross-site scripting vulnerability on the target web application and has a way of tricking or ensuring the victim will visit the page containing the stored payload. Typical Entry Points for Stored XSS Stored XSS requires user supplied input to be stored by the application (making it persistent) and rendered within the page. The following list identifies some typical locations where Stored XSS vulnerabilities exist: Message Forums Blog Comments Profile page information Admin portals Looking for a manual security assessment? See our Penetration Testing Services page for more details. Typical Attack Vectors for Stored XSS An attacker can execute JavaScript of their choosing on the victims machine, therefore XSS can be used to execute a number of security risks and / or be used in combination with other web vulnerabilities to exploit a higher severity security vulnerability. Redirecting the browser Link placement Hooking browsers – beef (redirecting vulnerable browsers to exploits) Cookie Theft / Session Hijacking Key logging Using XSS to steal CSRF tokens Fake login forms Abusing HTML 5 Cookie Theft Example using Stored XSS The following example uses a vulnerable blog comment system to inject an XSS payload on a popular page often visited by the victim(s). The following XSS payload attempts to load an image from the attackers server with the victims cookie data within the request URL. After a request for the image has taken place the attacker can extract the victims session identifier from the web server log […]
