Usually, a website or web app displays information from the server. However, as users, we can also provide information to the website via an input field. If a web server does not have appropriate user input validation, then malicious users can inject malicious code rather than harmless text. this malicious code will then execute and steal credentials, deface pages, or alter user information.
Stored XSS attack: Lets say upon user input, the malicious code is now saved in the server e.g. html or js file of this website: domain.com/tonybennet. Then whoever later visits this page will become a victim of this attack. The code will run for anyone who visits that page.
Reflected XSS is more direct. Someone hands you a valid link: facebook.com/profile/search?term=<script>alert(1)</script> You clicked on it because its from facebook.com! If facebook server is vulnerable to this type of reflected XSS then you will become victim of this attack. Your browser will run the javascript code alert(1) or any other malicious code for that matter.
Protecting against XSS:
Disable dangerous rendering paths: Instead of using the innerHTML property, which lets you inject any content directly into HTML, use the textContent property instead, it treats input as text and parses it for HTML.
Make cookies inaccessible to JS: Set session cookies with the HttpOnly, Secure, and SameSite attributes to reduce the impact of XSS attacks.
Sanitise input/output and encode: In some situations, applications may need to accept limited HTML inputβfor example, to allow users to include safe links or basic formatting. However, it's critical to sanitize and encode all user-supplied data to prevent security vulnerabilities. Sanitising and encoding removes or escapes any elements that could be interpreted as executable code, such as scripts, event handlers, or JavaScript URLs while preserving safe formatting.
- Start the target machine. Type the ip address in your browser if you have OpenVPN enabled; if you dont, start the Attackbox machine.
- Notice there are some input boxes. We can start there. This is what reflected xss looks like when we put malicious code in the input box:
<script>alert('Reflected Meow Meow')</script>
- Usually we first check if an input box is susceptible to XSS or not. Today's room is very easy, there are two input boxes for two kinds of XSS. Copy and paste them to get your flags.
Top comments (0)