DEV Community

loading...
Cover image for What is Cross-site Scripting (XSS) ? Types of XSS!

What is Cross-site Scripting (XSS) ? Types of XSS!

amrelmohamady profile image Amr Elmohamady Updated on ・3 min read

What is Cross-site Scripting?

Cross-site Scripting (which is called XSS) is a type of security vulnerability typically found in web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users.

So, Yes it's client side hacking not in Node.js but just plain JavaScript.

What attackers do is sending script-injected link to victims when victims open the link, the browser opens the site and also executes the XSS script which steal the user's data from session storage or cookies like

document.cookie
Enter fullscreen mode Exit fullscreen mode

Then, sending the user's data to the attacker with an Http request.
Here's an image which simplify the process:

XSS Process


Types of XSS:

1- Stored XSS

Well, it's the simplest kind of XSS Attacks; XSS Script is sent to the database and called each time a page is loaded.
Ex:
A comments section in a blog the attacker puts the XSS script and submit it as a comment so it appears each time the page is loaded to do its job.

2- DOM XSS:

This kind is somehow tricky as this is the most one I like.
It happens mostly in the URL using

document.location
Enter fullscreen mode Exit fullscreen mode

When JavaScript takes data from an attack-controllable source (URL), and it passes it in the HTML using innerHTML which enables attackers to execute malicious scripts.

For avoiding this type of XSS use innerTEXT instead of innerHTML, You may need to use innerHTML when you want to add dynamic HTML in your page so you can filter inputs from the Backend.

Ex:
http://www.example.com/userdashboard.html?context=Mary is a dashboard customized for Mary. It contains the string Main Dashboard for Mary at the top.

Here is how a DOM-based XSS attack can be performed for this web application:

The attacker embeds a malicious script in the URL: http://www.example.com/userdashboard.html#context=SomeFunction(somevariable).
The victim’s browser receives this URL, sends an HTTP request to http://www.example.com, and receives the static HTML page.
The browser starts building the DOM of the page and populates the document.URL property with the URL from step The browser parses the HTML page, reaches the script, and runs it, extracting the malicious content from the document.URL property.
The browser updates the raw HTML body of the page to contain: Main Dashboard for

<script>
SomeFunction(somevariable)
</script>
Enter fullscreen mode Exit fullscreen mode

The browser finds the JavaScript code in the HTML body and executes it.

3- Reflected XSS (Non-persistent XSS):

The most common way for cross-site scripting.
Reflected XSS is not a persistent attack, so the attacker needs to deliver the link to each victim. These attacks are often made using social networks.
In this case, the attacker’s payload has to be a part of the request that is sent to the web server. It is then reflected back in such a way that the HTTP response includes the payload(script) from the HTTP request. Attackers use malicious links, phishing emails, and other social engineering techniques to lure the victim into making a request to the server. The reflected XSS payload is then executed in the user’s browser.


How to discover various XSS types?

Easiest way is to validate inputs and use an XSS Scanner.

An Automated web security scanner checks your site for vulnerabilities. ... A website that's vulnerable to Cross-site scripting (XSS) will allow an attacker to inject browser-side scripts into web pages viewed by users.


Follow the blog for more useful articles

Twitter: @AmrElmohamady2

Discussion (7)

pic
Editor guide

Some comments have been hidden by the post's author - find out more