What is XSS ( Cross-site scripting )?

  • Cross-site scripting is also known as XSS. And it is the most common vulnerability which is identified in most live web-based applications. The web application is the collection of user inputs and search fields. So this is the reason which Cross-site scripting happens.
  • In the user input, malicious JavaScript code is inputted by the attacker or hacker, which aims to steal user sessions or do cruel code executions.

What are the types of cross-site scripting or XSS

  • Reflected XSS: Reflected XSS vulnerability occurs when a malicious script is reflected in the website’s result or response.
  • Stored XSS: The malicious data is stored permanently on a database and it is later accessed and run by the victims without knowing the attack.
  • DOM XSS: DOM-based XSS is where the attacker’s payload is executed due to modifying the DOM environment in the victim’s browser used by the original client-side script. The client-side code runs in an “unexpected” Manner

Above those are the types of XSS or Cross-site scripting. More importantly, we are going to discuss the Reflected XSS today.

Reflected XSS:

  • Reflected XSS is a type of vulnerability that is found on most websites, nowadays. This happens when the given user input is not correctly validated by the server and then this vulnerability is present.
  • Reflected Cross-site scripting is the type in which the injected script is reflected on the web server, like the error message, search result, or any other response. Reflected-type attacks are delivered to victims or targets via another path such as email messages or phishing. When the user is tricked into clicking the malicious script or link, then this attack triggers the user’s browser.

A simple example to find Reflected XSS is the search field.

  1. A website has a search field for searching items or searching for information and it starts from there.
  2. We will add the input to the search field. If the search input is not validating the user input then it may produce the Reflected XSS vulnerability.
Example of an attacker stealing private data using XSS

    

Steps of an attacker stealing private data using XSS:

  1. The attacker sends a link that contains malicious JavaScript code.
  2. The Malicious link is executed for normal users on his side on any browser.
  3. After execution, the sensitive data like cookies or session ID is sent back to the attacker’s server and the normal user’s private data is compromised.
  4. The normal user will not know about this issue.

Examples of Reflected XSS that happens via Search Parameter:

  1. Consider a web application that takes a search string from the user via the search parameter provided on the query string:

https://www.example.com/test.html?search=bepratical

  • The web application will show the search value that the user on the HTML page provides.
  • Check how the input is properly validated by the server and if the server is not validating the input given by the user.
  • Then try to inject the payload for getting the Reflected XSS.
  • A basic XSS payload is : <script> alert(1) </script>
  • Now inject the payload in the search parameter in the web application and see the response.
  • If the payload is executed then it is vulnerable to Reflected XSS.

Example for finding a Reflected XSS: ( I am using testphp.vulnweb.com for testing purposes)

  1. Open the website. Now type something like bepractical search for reflections.
  • Now you can see that you are able to see bepractical on the website. Now try to inject the malicious script or payload into the search field.

Payload : <script> alert(1) </script>

  • Now when we click on go you may the result. If the website is vulnerable you can get the vulnerability.
  • As you can we get a Pop-Up alert saying 1.
  • So it is vulnerable to Reflected XSS.

Impact of Reflected XSS:

  1. The attacker can hijack user accounts.
  2. An attacker could steal credentials.
  3. An attacker could exfiltrate sensitive data.
  4. An attacker can steal cookies and Session IDs.
  5. An attacker can quickly obtain access to your other client’s computers

How to overcome the problem of Reflected XSS:

  1. Try to use browser technologies that do not allow client-side scripting in input fields or URLs.
  2. Make sure that all the user-supplied inputs are adequately validated before sending them to the server.
  3. Try to implement a WAF for blocking while testing for these kinds of vulnerabilities.

For more information, you can come back to us at https://www.bepractical.tech/

Some Hacker One reports of Reflected XSS:

  1. https://hackerone.com/reports/846338
  2. https://hackerone.com/reports/697099
  3. https://hackerone.com/reports/340431
  4. https://hackerone.com/reports/840759
  5. https://hackerone.com/reports/1350887

Conclusion:

So, I hope you had understood the Reflected XSS and the damage it could cost to the web application.

So there are two main points to remember:

  1. Always validate the user-given input.
  2. Try to implement a WAF to block some of these types of vulnerabilities.