Master HackPremiumScripting

The Different Types of XSS Explained With Code Examples

4

Cross-site scripting (XSS) is a common vulnerability that is carried out when an attacker injects malicious JavaScript into a website, which then targets the website’s visitors. By doing so, the attacker may gain access to users’ cookies, sensitive user information, as well as view and/or manipulate the content that is shown to the user. This is not another article explaining what XSS is, why it is a security issue and how to fix it because we have already covered that. This article goes into the details of the different types of XSS attacks and what happens in each scenario.

Reflected XSS

https://blog.detectify.com/2019/03/15/what-are-the-different-types-of-xss/?utm_source=DZone&utm_medium=referral&utm_campaign=XSS_types

Reflected XSS means that the payload is reflected, i.e. the server reads it from the request and includes it as part of the response as well.

/search.php?q=<h1>hello</h1> would be an example that then shows up on the page.

<?php
echo "You searched for " . $_GET["q"];
?>

An attack like this requires getting the user to click on a link that includes the payload. There are several ways to achieve this; sending the link as an email or buying advertisements on a website that you know the victim is going to visit are two potential ways.

Stored/Persistent XSS

https://blog.detectify.com/2019/03/15/what-are-the-different-types-of-xss/?utm_source=DZone&utm_medium=referral&utm_campaign=XSS_types

Persistent or Stored XSS means that the payload is saved on the actual page, not in the request that is then reflected. If we assume this would also occur in a search function, it could, for example, be in a list of recent popular search terms.

<?php
$terms = array(..); // load the five latest searches from a database
echo "Last five searches:<br>";
foreach ($terms as $term) {
echo "$term <br>";
}
?>

As the malicious JavaScript is saved on the page, this attack does not necessarily require you to send the victim any specific link. It depends on where on the page it is saved. If the XSS is in the latest searches you can just wait until the victim uses the search function by themselves. However, if it is stored in a specific forum thread you might need to send the victim a link to that post.

DOM XSS

When you visit a website, the server generates some HTML and JavaScript which it sends back to your browser. Your browser will then interpret all this and you will see the result on your screen. JavaScript can modify what you see and this is also called modifying the DOM (Document Object Model).

DOM XSS is the catch-all term for when the attacker’s JavaScript is not interpreted directly as a result of the source you get from the server, but rather ends up being interpreted after existing JavaScript on the page has modified the DOM to include it.

Let’s continue with the search example. This could be a function that uses JavaScript to read the value from the current URL and then writes it onto the page. This would then lead to a similar vulnerability as with the reflected XSS, but this time it will be called a DOM XSS.

<html>
	<body>
		<p id="searchterm"></p>
		<script>
		searchterm = location.href.split("q=")[1];
		searchterm = decodeURIComponent(searchterm);
		document.getElementById("searchterm").innerHTML = "You searched for: " + searchterm;
		</script>
	</body>
</html>

DOM XSS could be much more complex than this. The JavaScript does not have to read the value from the URL, there are lots of other potential sources. Two examples would be postMessage or that the JavaScript sends a xhr-request to another API.

If a DOM XSS reads the value from the URL this similarly to reflected XSS requires you to share a specific link with the victim to exploit it. However, if it is caused by the server sending an API request to get the latest search terms, the impact would be similar to the persistent XSS.

XSS Proof of Concept

Did you find this helpful? Security can be part of anyone’s job, including developers, which is why we’ve added more educational articles and YouTube videos to help you further security skills.

Lovepreet Singh
CEO & FOUNDER OF" FIVE RIVERS INCORPORATION - LEADING SOFTWARE & CYBER SECURITY DEVELOPMENT COMPANY" || CERTIFIED ETHICAL HACKER || FUTURE TRILLIONAIRE || FUTURISTIC || "DULL SCHOOL STUDENT" || (Follow this link to message me on WhatsApp: https://wa.me/13018426470)

If devices are connected to the same switch but are in different subnets do they share the same gateway?

Previous article

Developing Event-Driven Applications to Prevent Accident

Next article

4 Comments

  1. Good post. I learn one thing more challenging on completely different blogs everyday. It should at all times be stimulating to learn content material from different writers and apply a bit one thing from their store. I’d want to make use of some with the content material on my blog whether you don’t mind. Natually I’ll provide you with a hyperlink on your net blog. Thanks for sharing.

  2. Generic Cialis 5 Mg [url=http://drugsir.com]canadian pharmacy cialis 20mg[/url] Acheter Levitra En Luxembourg Buy Viagra

  3. Bentyl Dicyclomine No Doctors Consult Buy Xenical 120mg [url=http://cthosts.net]cialis[/url] Cephalexin Allergic Reaction

  4. Amoxicillin Clavulanic Acid Suspension Dosage Will Alli Be Available Again Soon Effects Of Mixing Keflex And Beer [url=http://demalan.com]viagra online prescription[/url] Commande Cialis Half Life Of Amoxicillin

Leave a reply

Your email address will not be published. Required fields are marked *

Login/Sign up