Demystifying Cross-site Scripting #XSS

Download your own Web hacking LAB: https://thehackerish.com/owasp-top-10-lab-vm-free Blog post: https://thehackerish.com/cross-site-scripting-xss-explained Follow us on Twitter: https://twitter.com/thehackerish Facebook Page: https://www.facebook.com/thehackerish Hello ethical hackers! Welcome to this new episode of the OWASP Top 10 vulnerabilities series. In this video, you will learn about Cross-Site Scripting (XSS). There is so much content addressing this subject, from XSS discovery to all kinds of XSS filter bypass. This video will explain all these aspects and give you references to go deeper for each one. Hopefully, it will be a general XSS guide for you to come back to when you need anything related to XSS. During this episode, you will learn the following: - How does XSS work: This is where you will understand the underlying concepts which allow for a - Cross-Site Scripting vulnerability to happen. You can’t understand the rest if you don’t understand this section. - What are the types of XSS: We will explore all the different XSS types with examples. - Where to find XSS: I will share with you the different injection contexts where XSS might occur. - How to test for XSS: In this section, you will learn the different approaches to testing for XSS. - XSS filter bypass - XSS attack examples: You will find and analyze real XSS bugs disclosed on Hackerone. Hopefully this will inspire you to find them yourself. - XSS impact: Once you have found a Cross-Site Scripting vulnerability, you will learn what you can do with it. - How to prevent XSS: If you are a developer and want to secure your code against XSS, or if you are a bug bounty hunter trying to write an exhaustive report including how to mitigate it, this section is for you. - XSS references: There are many awesome in-depth references which will help you go even deeper in particular aspects of XSS. Cross-Site scripting happens when the application fails to properly validate user input when the Web browser processes it. Therefore, an attacker injects arbitrary JavaScript code inside the vulnerable application. When the victim navigates to the vulnerable page, the Web Browser runs the malicious JavaScript code. When you succeed at exploiting a Cross-site Scripting vulnerability, it’s like you’ve got a chair in front of the victim’s Web Browser. You can perform almost all the operations the user can do on the vulnerable application. If cookies are well protected, you can target a feature in the application. For example, if the application allows you to edit the email without asking for a password, you can forge a request using JavaScript and edit the email. Then, when you can reset the victim’s password, you will receive the password reset link in your email address. Therefore, you will achieve account takeover. You can also inject JavaScript code to redirect users to your malicious website, which might be an exact replica of the original application’s login page. Usually, people don’t pay attention to the address bar, especially if they are on mobile. For example, the following script will redirect users to your server. The basic idea to prevent XSS is to tell the Web Browser how to differentiate between HTML and the data. You do that by properly encoding the data. For example, you can perform HTML entity encoding to transform the malicious user input img tag into <img>. When the browser sees that string, it doesn’t consider an image tag.