Cross-site Scripting(XXS)

1. Overview

Cross-site scripting is a type of computer security vulnerability typically found in web applications. And cross-site tracing is a network security vulnerability exploiting the HTTP TRACE method. Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF(or XSRF) is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. SQL injection is a code injection technique, used to attack data-driven applications.

2. Cross-site scripting(XXS) 

2.1 Types

• Non-persistent(reflected): The malicious script comes from the current HTTP request
• Persistent(Stored): The malicious script comes from the website's database
• DOM-based: Where the vulnerability exists in client-side code rather than server-side code

2.2 Exploit Examples

• Non-persistent

https://insecure-website.com/status?message=All+is+well.

<p>Status: All is well.</p>

The application doesn't perform any other processing of the data, so an attacker can easily construct an attack like this:

https://insecure-website.com/status?message=All+is+well.

<p>Status: All is well.</p>
<p>Status: <script>/* Bad stuff here... */</script></p>

If the user visits the URL constructed by the attacker, then the attacker's script executes in the user's browser, in the context of that user's session with the application. At that point, the script can carry out any action, and retrieve any data, to which the user has access.

• Persistent(Stored)

 A message board application like Ttistory lets users submit messages, which are displayed to other users:

<p>Hello, this is my message!</p>

The application doesn't perform any other processing of the data, so an attacker can easily send a message that attacks other users:

<p><script>/* Bad stuff here... */</script></p>

• DOM-based

var search = document.getElementById('search').value;
var results = document.getElementById('results');
results.innerHTML = 'You searched for: ' + search;

If the attacker can control the value of the input field, they can easily construct a malicious value that causes their own script to execute:

You searched for: <img src=1 onerror='/* Bad stuff here... */'>

3. Prevent

3.1 Filter input on arrival

• At the point where user input is received, filter as strictly as possible based on what is expected or valid input.

3.2 Encode data on output

• Encode output to prevent it from being interpreted as active content
• Might require applying combinations of HTML, URL, Javascript, and CSS encoding

3.3 Use appropriate response headers

• If HTML and Javascript not intended to be contained, use Content-Type and X-Content-Type-Options headers to ensure browsers interpret the responses in the way you intend

3.4 Content Security Policy

• Using CSP to reduce the severity of any XSS vulnerabilities

4. References

https://en.wikipedia.org/wiki/Cross-site_tracing

https://en.wikipedia.org/wiki/Cross-site_scripting

https://en.wikipedia.org/wiki/Cross-site_request_forgery

https://en.wikipedia.org/wiki/SQL_injection

https://en.wikipedia.org/wiki/HTML_sanitization

https://portswigger.net/web-security/cross-site-scripting