Today we will learn the basics of Cross Site Scripting (XSS).
Ahh please stop thinking why they call it XSS and not CSS, I wasted hours thinking about that.
Now lets get straight to the point.
What Is XSS?
It is a web application vulnerability which lets an attacker to run his own scripts (client side scripts actually) into web pages.
An attacker can easily steal cookies, credentials and even spread malware by successfully exploiting a XSS vulnerability.
Most of the times, an input form is used by an attacker to inject his malicious code.
Well you can’t understand what is XSS without seeing it in action, so lets do it.
Finding And Exploiting XSS Vulnerability
I have a website here:
As you can see in the above screenshot, there is a search box on top as you can see. Now lets search something.
Ummm ok…I searched for ultimate and here is the result:
It looks normal. Now lets take a look at the source code of the webpage to know how webpage processes our input. You can do this by right clicking anywhere on the page and choosing view page source option.
But if you are in a hurry you can always right click on the search result (ultimate in our case) and then choose Inspect Element option which will take you to the desired line directly.
So here is what the page source says:
So the code we should focus on is:
<li><a href="******.**">Home</a></li> ultimate </ul>
Look at the code above, before ultimate there is </li> and after ultimate there is </ul>. There is nothing between </li> and </ul>. So it looks like there is nothing which can interfere with our input.
We can verify it by entering a basic script in the search box.
So I entered <script>alert(‘Just a test by Ultimate Hackers’);</script> and boom!
We got a pop up here:
Great! This webpage is vulnerable to XSS.
Now we will try to make the page to show an image of our choice.
For this I will enter the following query in the search box:
<img src=”http://teamultimate.in/wp-content/uploads/2017/03/slide-main.png” />
And here is our desired image on the victim webpage,
Unfortunately*, no user will be able to see this image or the pop up unless we send him the link.
Like if we want him to see the Just a test by Ultimate Hackers pop up then we must ask him to visit the URL for search result i.e.
It doesn’t sound cool. Does it? Well XSS is just not limited to here.
Here some things to consider:
1. If there is an input form, like a search box, or a comment box or just anything where you can type and submit something to the website then you should try checking for XSS vulnerability.
2. We exploited a search box here, and the pages generated by the search were dynamic. Which means, every time you search something there will be different results. These search results do not get stored in the website.
But sometimes there are such forms which can let an attacker to save the malicious script permanently in the server and make it load every time when a user visits the infected page.
For example, on many websites you can comment your views about the post by the comment box and website saves it in the database. So whenever a user views that post on which you commented, then he will be able to see your comment.
But what if you write a malicious script in the comment box? Yep, the script will get executed whenever a user will access that post.
3. The website we used as an example here was way too simple at handling input but many websites filter user input and try to block XSS attempts. We will learn what kind of filters are used and how to bypass them in next article.
4. The only thing we did today was to display a harmless pop up and an image. But as I told you earlier that XSS can be used for phishing, cookie stealing and spreading malware. We will learn how to do these things later in the XSS series.
Till then keep reading and start learning HTML if you haven’t learned it already and believe me HTML is really easy.
Also Read: Bypassing XSS Filters : Part 1