What XSS is, how dangerous is it, and how to avoid it when programming

Tram Ho

Source: https://tienminhvy.com/kinh-nghiem/xss-la-gi-va-cach-phong-tranh

XSS security vulnerabilities

XSS is one of the well-known security vulnerabilities, unlike SQL injection, the XSS vulnerability is mainly implemented on the client side, in order to steal user information.

What is XSS? XSS at a glance

XSS (which stands for Cross-Site Scripting) is simply understood as a common malware attack in which hackers take advantage of vulnerabilities to insert script code, then send them to people. using (or a user accidentally accessing an infected site). Thereby stealing the user’s cookie information and using it to login accounts on the website that were infected with malicious code.

This is a simple attack but causes great damage to websites such as banking, e-commerce. At the same time, this is also a security issue to consider when programming a web application.

How dangerous is XSS?

As I mentioned above, XSS is extremely dangerous because it causes a lot of damage to a website, especially a business website, when a website is attacked by XSS, it will damage both the website owner and also the users on that website, making that website’s reputation decline. In addition, the hacker can use the user’s account for fraudulent purposes, …

Some of the famous XSS attacks:

Classification and examples of XSS

Currently, there are 3 main types of XSS:

Stored XSS

Stored XSS is the basic XSS vulnerability commonly found in unsecured web applications, with this bug taking advantage of the location where it was discovered (such as a comment form or support page. website technical support, …). Then send this malicious code to the database side and store there.

When the victim accesses the comment page, the system will take all comments (including the comments infected with malicious code of the hacker) and print them out on the screen, as soon as the page loading process is complete, the web browser of the user will execute the malicious code (depending on what kind of malicious code the hacker inserted, such as the malicious code that collects the user’s cookies).

Here is a small web application I wrote to use to demo for you what is Stored XSS (only for learning and demo purposes only):

If you want to know what the function of mysqli_real_escape_string () function is for, you can see this article: What is SQL Injection and how to prevent it?

The small web app example above is the comments section of a blog page, where users can enter comments with whatever they want. And I’m just an ordinary user to go to the comment section of the website to express his opinion with the website owner.

Because my personality is a bit naughty, I will try to see if this comment item has any security holes, after checking for the unsuccessful SQL injection, I turn to testing the XSS error by entering the <script> line. </script> enter.

stored xss 01

And unexpectedly, the MSG I bolded, I couldn’t see the message I entered, I checked the source code of the page by pressing Ctrl + U

stored xss 02

stored xss 03

Well, you see my line is bold, it proves to us that the website has XSS type 1 security vulnerability already. To make sure that the javascript code can be executed in the script tag pair, right in the comment form, I enter this line and click Send.

And if the website is reporting like this, it is 100% sure that this website has XSS error.

stored xss 04

And here is our javascript snippet in the source code of the web page.

stored xss 05

With this vulnerability, hackers can take advantage of it to steal cookies, in order to use these cookies to impersonate users to log in to the website above. Or more dangerous than using it to DDOS any other website. For example, I will take advantage of it to steal cookie information of users who visit this comment page, I will use the following javascript:

And all cookies of the user when accessing the above site will be redirected to his page both: v. Of course, who would do that ? )

So what is the difference between this type of Stored XSS and the other 2 Reflected XSS types? With this type of XSS, hackers will not need to use tricks to trick users into accessing the website because the above malicious code has been stored on the database. When a user visits that area, the website will both load the malicious code and execute it in the user’s web browser.

Reflected XSS

This is also a type of XSS, but the difference with the above type is that it can only be executed on the client side (user browser) and not saved to the database of the website. If you want to exploit this bug, the hacker needs to find the vulnerability in the web application, and then look up the link pointing to the website containing the vulnerability.

Once the user accesses the above link, the server will return the website with the hacker’s malicious code included in the link.

For example, the small web application below I wrote to find the user who sent a message to the website above (note that it is only used for learning, demo purposes):

For example, on this page, users can search for messages (comments) that they or other users have posted on the website.

reflected xss 01

For example, here, I search for a user named abc, then click Find, the website will return all comments of the user abc.

reflected xss 02

And when I do not enter any characters in the box and click Find, the system will return the page as below, but still show the line You searched for “”.

reflected xss 03

Therefore, here I will check to see if the website owner properly encodes the script tag or not by entering the <script> </script> content box and the website still returns the content as shown above.

reflected xss 04

However, when I pressed the Ctrl + U key combination, I caught my eye that the line I had highlighted in black here, it is possible that this website has suffered an XSS security error.

reflected xss 04

However, that is not enough, I will add an alert function to see if the site shows any notification. And when entering the following code in the box, press Enter:

<script> alert (‘Hacked!’) </script>

And I got the results as shown, so 100% of this website had Reflected XSS security error:

XSS security vulnerabilities

reflected xss 06

And here is the code that we entered in the Source Code section of our website.

reflected xss 07

DOM-based XSS

DOM-based XSS is an advanced XSS vulnerability, which is also the fault of website owners not properly encrypting user input. However, unlike the two types above, the hacker will not exploit this error through the input box on the website, but will manipulate directly on the browser’s address bar. This malware spread is similar to Reflected XSS.

This type of vulnerability can occur in both dynamic and static websites because this kind of vulnerability takes advantage of JavaScript programming language loosely by programmers to manipulate DOM (Document Object Model), thus This vulnerability can only affect the client (user browser) only.

For example, here is the source code of a demo website written by me:

For example, when I open the website above, it will return the link in the address bar that I visited. And when I enter the URL format as follows

http://localhost/hoctap/xss_3.php#<script>alert('XSS')</script>

the website immediately has XSS error.

However, it seems that current web browsers have prevented this type of vulnerability by escaping the above string to normal characters, so the above method is no longer effective for new browsers, but older browsers. There is still a risk of making that security mistake!

How to avoid XSS

To limit and avoid XSS errors, you need to encode special characters when programming a web application. For PHP or Server-side execution language, if possible, you should encode both types as follows:

As for DOM-based XSS, you should refer to the documents of the Javascript Framework you are currently using or restrict the use of methods or functions: innerHTML, outerHTML, document.write, but use textContent instead.

Summary

Through this article, I have introduced to you what XSS is, how dangerous is it, as well as classifying and example each individual XSS vulnerability. If you have any questions, please do not hesitate to comment below so I can know.

And don’t forget the unwritten rule: “Never trust user input”

Share the news now

Source : Viblo