While many organizations choose to ignore XSS vulnerabilities, as it only affects end-users without having a direct ability to execute code on the back-end server, in this module, we will discuss why XSS should be taken seriously. We will discuss the three types of XSS vulnerabilities, how to identify them, and how to exploit them.
In addition to this, the
Cross-Site Scripting (XSS) module will teach you the following:
- What is an XSS vulnerability?
- History of XSS attacks in real-life
- What are
Reflected XSS, and
- Techniques to identify XSS vulnerabilities
Defacingattacks to change the look of a website
Phishingattacks to steal the victim's login details and to perform a phishing simulation exercise
Session Hijackingattacks to obtain the victim's session cookie and use them to access their account
- Front-end and Back-end steps to prevent XSS vulnerabilities and protect your web application against them
CREST CPSA/CRT-related Sections:
- All sections
This module is broken into sections with accompanying hands-on exercises to practice each of the tactics and techniques we cover. The module ends with a practical hands-on skills assessment to gauge your understanding of the various topic areas.
You can start and stop the module at any time and pick up where you left off. There is no time limit or "grading," but you must complete all of the exercises and the skills assessment to receive the maximum number of cubes and have this module marked as complete in any paths you have chosen.
As you work through the module, you will see example commands and command output for the various topics introduced. It is worth reproducing as many of these examples as possible to reinforce further the concepts presented in each section. You can do this in the
PwnBox provided in the interactive sections or your virtual machine.
The module is classified as "
Easy" and assumes a working knowledge of the Linux command line and an understanding of information security fundamentals. The module also assumes a basic understanding of web applications and web requests and will build on this understanding to teach how XSS vulnerabilities and attacks work.
In addition to the above, a firm grasp of the following modules can be considered as prerequisites for the successful completion of this module:
- Learning Process
- Web Requests
- Intro to Web Applications
What is XSS
XSS vulnerabilities are solely executed on the client-side and hence do not directly affect the back-end server. They can only affect the user executing the vulnerability. The direct impact of XSS vulnerabilities on the back-end server may be relatively low, but they are very commonly found in web applications, so this equates to a medium risk (
low impact + high probability = medium risk), which we should always attempt to
reduce risk by detecting, remediating, and proactively preventing these types of vulnerabilities.
In 2014, a security researcher accidentally identified an XSS vulnerability in Twitter's TweetDeck dashboard. This vulnerability was exploited to create a self-retweeting tweet in Twitter, which led the tweet to be retweeted more than 38,000 times in under two minutes. Eventually, it forced Twitter to temporarily shut down TweetDeck while they patched the vulnerability.
To this day, even the most prominent web applications have XSS vulnerabilities that can be exploited. Even Google's search engine page had multiple XSS vulnerabilities in its search bar, the most recent of which was in 2019 when an XSS vulnerability was found in the XML library. Furthermore, the Apache Server, the most commonly used web server on the internet, once reported an XSS Vulnerability that was being actively exploited to steal user passwords of certain companies. All of this tells us that XSS vulnerabilities should be taken seriously, and a good amount of effort should be put towards detecting and preventing them.
Types of XSS
There are three main types of XSS vulnerabilities:
||The most critical type of XSS, which occurs when user input is stored on the back-end database and then displayed upon retrieval (e.g., posts or comments)|
||Occurs when user input is displayed on the page after being processed by the backend server, but without being stored (e.g., search result or error message)|
||Another Non-Persistent XSS type that occurs when user input is directly shown in the browser and is completely processed on the client-side, without reaching the back-end server (e.g., through client-side HTTP parameters or anchor tags)|
We will cover each of these types in the upcoming sections and work through exercises to see how each of them occurs, and then we will also see how each of them can be utilized in attacks.