Today we will learn the basics of Cross-Site Scripting (XSS).
Ahh please stop thinking why they call it XSS and not CSS, I wasted hours thinking about that.
Now let’s get straight to the point.
What Is XSS?
It is a web application vulnerability that lets an attacker run his own scripts (client-side scripts actually) into web pages.
An attacker can easily steal cookies, credentials, and even spread malware by successfully exploiting an XSS vulnerability.
Most of the time, an input form is used by an attacker to inject his malicious code.
Well, you can’t understand what is XSS without seeing it in action, so let’s do it.
Finding And Exploiting XSS Vulnerability
I have a website here:
As you can see in the above screenshot, there is a search box on top as you can see. Now let’s search for something.
Ummm ok…I searched for ultimate and here is the result:
It looks normal. Now let’s take a look at the source code of the webpage to know how webpage processes our input. You can do this by right-clicking anywhere on the page and choosing the view page source option.
But if you are in a hurry you can always right click on the search result (ultimate in our case) and then choose Inspect Element option which will take you to the desired line directly
So here is what the page source says:
So the code we should focus on is:
<li><a href="******.**">Home</a></li> ultimate </ul>
Look at the code above, before ultimate there is </li> and after ultimate there is </ul>. There is nothing between </li> and </ul>. So it looks like there is nothing that can interfere with our input.
We can verify it by entering a basic script in the search box.
So I entered <script>alert(‘Just a test by Ultimate Hackers’);</script> and boom!
We got a pop up here:
Great! This webpage is vulnerable to XSS.
Now we will try to make the page show an image of our choice.
For this I will enter the following query in the search box:
<img src=”http://******.com/wp-content/uploads/2017/03/slide-main.png” />
And here is our desired image on the victim webpage,
Unfortunately*, no user will be able to see this image or the pop up unless we send him the link.
Like if we want him to see the Just a test by Ultimate Hackers pop up then we must ask him to visit the URL for search result i.e.
It doesn’t sound cool. Does it? Well XSS is just not limited to here.
Here some things to consider:
1. If there is an input form, like a search box, or a comment box, or just anything where you can type and submit something to the website then you should try checking for XSS vulnerability.
2. We exploited a search box here, and the pages generated by the search were dynamic. This means, every time you search something there will be different results. These search results do not get stored on the website.
But sometimes there are such forms that can let an attacker save the malicious script permanently in the server and make it load every time when a user visits the infected page.
For example, on many websites, you can comment your views about the post by the comment box, and website saves it in the database. So whenever a user views that post on which you commented, then he will be able to see your comment.
But what if you write a malicious script in the comment box? Yep, the script will get executed whenever a user will access that post.
3. The website we used as an example here was way too simple at handling input but many websites filter user input and try to block XSS attempts. We will learn what kind of filters are used and how to bypass them in the next article.
4. The only thing we did today was to display a harmless popup and an image. But as I told you earlier that XSS can be used for phishing, cookie stealing, and spreading malware. We will learn how to do these things later in the XSS series.
Till then keep reading and start learning HTML if you haven’t learned it already and believe me HTML is really easy.
Also Read: Dark Web: Is It Illegal to Use It?