Cross Site Scripting [Reflected]
Hello Friends,
This is my 27th blog on web application security penetration testing. In this blog I will explain about Reflected Cross Site Scripting.
In my last blog, I have explained about SMS or Email Bombing Attack. Hope everyone liked it. If you haven’t read it yet please follow along.
You can find hundred’s of blog on cross site scripting. So ultimate question is “why am I writing blog on this?”
Answer is, I am trying to help beginners and professionals to understand every bug with easy language representation and easy way to identify and exploit it. I am also trying to cover all possible ways to test it. Trust me, If you are giving an interview in cybersecurity then my blogs will help every reader to explain every concept in great details.
What is Cross Site Scripting?
Cross-site Scripting (XSS) is a client-side code injection attack. The attacker aims to execute malicious scripts in a web browser of the victim by including malicious code in a legitimate web page or web application. The actual attack occurs when the victim visits the web page or web application that executes the malicious code
What are the Types of Cross Site Scripting?
- Reflected Cross Site Scripting
- Stored Cross Site Scripting
- DOM based Cross Site Scripting
- Blind XSS
What is Reflected Cross Site Scripting?
When a user supplied input is not validated or sanitized properly and displays back on the output of the web browser then we called it as Reflected Cross Site Scripting.
How to Test for Reflected Cross Site Scripting?
● Find some common pages such as Contact Us | Search bar | Comment Box | Forums |Signup | Login Page | Feedback Forms, etc.
● Find Input Parameters which is dynamic and user supplied.
● Give any Input There, if your Input reflect back either on page itself or in browsers DOM,
● Try to Inject any JavaScript there , if JS executed successfully then there is reflected XSS. If payload is bypassed try to bypass filter by understanding tag closing.
Below are some POC’s which I have collected from my Pen-Testing real time scenarios for you guys,
Scenario 1:
Page Name: Design Page Layout
Field Name: Page Name & Description both fields are vulnerable.
Payload Used: “><script>alert(1)</script>
Payload Executed:
Payload Used: “><script>alert(document.domain)</script>
Scenario 2:
Page Name: Blogging Page
Field Name: Search Parameter
Payload Used:<script>alert(1)</script>
Cross Site Scripting Impact:
Cookie Theft
Keylogging
URL Redirection
Phishing Attack
Downloading Malwares on victim’s computer, etc.
Cross Site Scripting Prevention:
Preventing cross-site scripting is trivial in some cases but can be much harder depending on the complexity of the application and the ways it handles user-controllable data.
In general, effectively preventing XSS vulnerabilities is likely to involve a combination of the following measures:
- Filter input on arrival. At the point where user input is received, filter as strictly as possible based on what is expected or valid input.
- Encode data on output. At the point where user-controllable data is output in HTTP responses, encode the output to prevent it from being interpreted as active content. Depending on the output context, this might require applying combinations of HTML, URL, JavaScript, and CSS encoding.
- Use appropriate response headers. To prevent XSS in HTTP responses that aren’t intended to contain any HTML or JavaScript, you can use the Content-Type and X-Content-Type-Options headers to ensure that browsers interpret the responses in the way you intend.
- Content Security Policy. As a last line of defense, you can use Content Security Policy (CSP) to reduce the severity of any XSS vulnerabilities that still occur.
Labs to Practice XSS:
- http://www.xssgame.com/
- https://jlajara.gitlab.io/web/2018/12/16/XSS-Google-Game.html
- https://alf.nu/alert1
- https://prompt.ml/
In my next blog, I will show you step by step execution for [Stored cross Site Scripting]. So you people will understand How data is getting pass over the different layer and stored into Database without proper validation.
I hope you people are enjoying reading my blogs. If you have any questions please drop me in comment section.
Please do like and follow for more reads!
Thanks!
