XSS Flashcards
(23 cards)
What are the 3 types of XSS?
Reflected
Stored
Dom-based
What is reflected XSS?
When an application recieves data in a HTTP request and includes that data within the immediate response in an unsafe way
What is stored XSS?
When an application recieves data from an untrusted source and includes that data within its later response in an unsafe way
What is Dom-base xss?
When an application contains some client-side Javascript that processes data from an untrusted source in an unsafe way, usually by writting the data back into the dom
What is XSS used for?
- impersonate as the victim user
- carry out any actions the user is able to perform
- read any data the user is able to access
- capture the users login creds
- perform virtual defacement of the web site
- inject trojan functionalities into the web site
How can XSS vulnerabilites be prevented?
- Filter/ sanatise input on arrival
- encode data on output
- use appropriate response headers
- content security policy
What areas of a web app do you test for reflected XSS?
- every entry point for data
How do you test for reflected XSS?
1) submit random alphanumeric values into each entry point - to determine if the value is reflected in the response.
2) determine the reflection context - what is the location of the reflected value? Is it quoted within a javascript string?
3) test a candidate payload that will trigger Javascript execution if it is reflected unmodified within the response
4) test alternative payloads - if it was blocked or modified then try different payloads
5) test the attack in a browser - if one works in burp try it on the webpage.
What is a simple Javascript to use in a reflected XSS attack that would trigger a visible pop-up?
‘alert(document.domain)’
What carrying out a stored XSS where are some areas that could be poteitnally vulnerable?
- comments section
- user nicknames in a chat room
- contact detials on a customer order
If vulnerable to storded XSS where might you recieve data from untrusted sources?
- a wemail application displaying messages recieved over SMTP
- a marketing application displaying social media posts
- a network monitoring application displaying packet dats from network traffic.
What string could you input to test if a webapp is vulnerable to stored XSs?
alert(1) or <><img></img>.src=1.onerror.=.alert(1)>
What is a Content Security Policy
A browser mechanism that aims to mitigate the impact of cross-site scripting and some other vulnerabilities.
When testing or a stored XSS vulnerabilitry what entry points might you test?
- parameters or other data within the URL query string and message body
- the URL file path
HTTP request headers that might not be exploitable - any out-of-band routes via which an atacker can deliver data into the application.
How does a content security policy work?
If an app that employs a CSP contains XXS-like behaviour, then the CSP might hinder or preventexploitation of the vulnerability.
Often the CSP can be circumvented (worked around) to enable exploitation of the underlying vulnerability
What is Dangling markup injection?
A technique that can be used to capture data cross-domain in situations where a full XSS exploit is not possible due to input filters or other defences.
What can dengling markup injection be used for?
To capture sensitive information that is visible to other users - including CSRF tokens that can be used to perform unauthorized actions on behalf of the user.
What is a CSRF token?
A unique, secret, unpredictable value that is generated by the server-side application and transmitted to the client in such a way that it is included in a subsequent HTTP request made by the client
What is a sink?
Sinks are the places where untrusted data coming from the sources is actually getting executed resulting in DOM XSS.
How can you test for a HTML sink?
- place a random alphanumeric string into the source (eg location.search )
- use developer tools to inspect the HTML and find where your string appears.
- for each of the areas the string appears, identify the context
- base dog the context you need to refine the input to see how it is processed. EG if string appears within double-quotes attribute then try to inject double quotes in your string to see if you can break out of the attribute.
Whats the difference between a HTML and Javascript execution sink?
- HTML sink - your input appears within the DOM
- Javascript execution sink - your input doesnt necessarily appear anywhere within the DOM - so you cannot search for it.
How do you determine whether your input is sent to a JavaScript execution sink?
Use the JavaScript debugger to determine wheather and hoe your input is sent to a sink.
How do you test for a JavaScript execution sink?
- for each potential source find cases within ther pages JavaScript code where the source is being referenced.
- use the JavaScript debugger to add a break point and follow how the sources value is used.
- if the source gets assigned to other variables youll need to use the search function again to track these variables and see if they are passed to a sink.
- when a sink that is being assigned data that origniates from the source , use the debugger to inspect the value by hovering over the variable to show its value before it is sent to the sink.
- then refine the input to see if you can deliver a successful XSS attack.
