XSS

Question 1

What are the 3 types of XSS?

Answer 1

Reflected
Stored
Dom-based

Question 2

What is reflected XSS?

Answer 2

When an application recieves data in a HTTP request and includes that data within the immediate response in an unsafe way

Question 3

What is stored XSS?

Answer 3

When an application recieves data from an untrusted source and includes that data within its later response in an unsafe way

Question 4

What is Dom-base xss?

Answer 4

When an application contains some client-side Javascript that processes data from an untrusted source in an unsafe way, usually by writting the data back into the dom

Question 5

What is XSS used for?

Answer 5

• impersonate as the victim user
• carry out any actions the user is able to perform
• read any data the user is able to access
• capture the users login creds
• perform virtual defacement of the web site
• inject trojan functionalities into the web site

Question 6

How can XSS vulnerabilites be prevented?

Answer 6

• Filter/ sanatise input on arrival
• encode data on output
• use appropriate response headers
• content security policy

Question 7

What areas of a web app do you test for reflected XSS?

Answer 7

• every entry point for data

Question 8

How do you test for reflected XSS?

Answer 8

1) submit random alphanumeric values into each entry point - to determine if the value is reflected in the response.
2) determine the reflection context - what is the location of the reflected value? Is it quoted within a javascript string?
3) test a candidate payload that will trigger Javascript execution if it is reflected unmodified within the response
4) test alternative payloads - if it was blocked or modified then try different payloads
5) test the attack in a browser - if one works in burp try it on the webpage.

Question 9

What is a simple Javascript to use in a reflected XSS attack that would trigger a visible pop-up?

Answer 9

‘alert(document.domain)’

Question 10

What carrying out a stored XSS where are some areas that could be poteitnally vulnerable?

Answer 10

• comments section
• user nicknames in a chat room
• contact detials on a customer order

Question 11

If vulnerable to storded XSS where might you recieve data from untrusted sources?

Answer 11

• a wemail application displaying messages recieved over SMTP
• a marketing application displaying social media posts
• a network monitoring application displaying packet dats from network traffic.

Question 12

What string could you input to test if a webapp is vulnerable to stored XSs?

Answer 12

alert(1) or <><img></img>.src=1.onerror.=.alert(1)>

Question 13

What is a Content Security Policy

Answer 13

A browser mechanism that aims to mitigate the impact of cross-site scripting and some other vulnerabilities.

Question 14

When testing or a stored XSS vulnerabilitry what entry points might you test?

Answer 14

• parameters or other data within the URL query string and message body
• the URL file path
  HTTP request headers that might not be exploitable
• any out-of-band routes via which an atacker can deliver data into the application.

Question 15

How does a content security policy work?

Answer 15

If an app that employs a CSP contains XXS-like behaviour, then the CSP might hinder or preventexploitation of the vulnerability.
Often the CSP can be circumvented (worked around) to enable exploitation of the underlying vulnerability

Question 16

What is Dangling markup injection?

Answer 16

A technique that can be used to capture data cross-domain in situations where a full XSS exploit is not possible due to input filters or other defences.

Question 17

What can dengling markup injection be used for?

Answer 17

To capture sensitive information that is visible to other users - including CSRF tokens that can be used to perform unauthorized actions on behalf of the user.

Question 18

What is a CSRF token?

Answer 18

A unique, secret, unpredictable value that is generated by the server-side application and transmitted to the client in such a way that it is included in a subsequent HTTP request made by the client

Question 19

What is a sink?

Answer 19

Sinks are the places where untrusted data coming from the sources is actually getting executed resulting in DOM XSS.

Question 20

How can you test for a HTML sink?

Answer 20

• place a random alphanumeric string into the source (eg location.search )
• use developer tools to inspect the HTML and find where your string appears.
• for each of the areas the string appears, identify the context
• base dog the context you need to refine the input to see how it is processed. EG if string appears within double-quotes attribute then try to inject double quotes in your string to see if you can break out of the attribute.

Question 21

Whats the difference between a HTML and Javascript execution sink?

Answer 21

• HTML sink - your input appears within the DOM
• Javascript execution sink - your input doesnt necessarily appear anywhere within the DOM - so you cannot search for it.

Question 22

How do you determine whether your input is sent to a JavaScript execution sink?

Answer 22

Use the JavaScript debugger to determine wheather and hoe your input is sent to a sink.

Question 23

How do you test for a JavaScript execution sink?

Answer 23

• for each potential source find cases within ther pages JavaScript code where the source is being referenced.
• use the JavaScript debugger to add a break point and follow how the sources value is used.
• if the source gets assigned to other variables youll need to use the search function again to track these variables and see if they are passed to a sink.
• when a sink that is being assigned data that origniates from the source , use the debugger to inspect the value by hovering over the variable to show its value before it is sent to the sink.
• then refine the input to see if you can deliver a successful XSS attack.