XSS - Overview, Definition and Case Studies

What Is Cross-Site Scripting?

Cross-site scripting (XSS) is a type of client-side injection attack in which a malicious script is injected into a legitimate website and executed there. An attack begins as soon as a user visits the compromised website. This blog post provides an XSS definition and demonstrates why an XSS vulnerability poses a high risk to any IT organization -- as confirmed by the OWASP Top Ten and the Common Vulnerability Scoring System (CVSS).

Intention of the Penetration Tester

XSS vulnerabilities are increasingly discovered in single-page web applications (SPAs) during penetration tests, as a significant portion of business logic in the form of JavaScript (JS) is shifted to the front end. XSS vulnerabilities are arguably the most widespread high-risk vulnerability in web applications today -- as our pentesters consistently confirm. These attack vectors are even found in API calls with growing frequency. It is important to us that all IT stakeholders understand that this type of vulnerability is rightly classified as highly critical and must not be neglected. Accordingly, this vulnerability is also covered in the OWASP Testing Guide with a dedicated test case.

Types of Cross-Site Scripting

Reflected Cross-Site Scripting

Reflected XSS attacks, also known as non-persistent attacks, occur when a malicious script is injected from a web application into the victim's browser. The script is activated through a crafted link that sends a request to a website with an XSS vulnerability, enabling the execution of malicious code. Any arbitrary JavaScript code can be executed through this payload.

Persistent or Stored Cross-Site Scripting

Persistent XSS, also known as stored XSS, is the more dangerous variant. It occurs when a malicious script is injected directly into a vulnerable web application and stored there. The malicious code is executed automatically whenever the victim loads the page -- without any user interaction required.

Local Cross-Site Scripting (DOM-Based)

DOM-based XSS means that the cross-site scripting vulnerability is exploited directly within the DOM (Document Object Model) rather than appearing in any part of the HTML source. With reflected and stored XSS attacks, the payload is visible in the server response. With DOM-based XSS, however, the HTML source code and the server response are identical -- the payload cannot be found in the server's response. It can only be observed at runtime or by examining the page's DOM. In contrast to the XSS variants mentioned above, the web application on the server is not involved at all in this type of attack.

Case Studies with an XSS Attack Vector

These vulnerabilities enable the following practical attack scenarios, which demonstrate the real-world risk of cross-site scripting vulnerabilities. These attack vectors do not represent an acceptable business risk and must be remediated promptly after detection during an XSS pentest.

With malicious JavaScript running in the victim's browser, the following attacks can be carried out:

• Session Hijacking -- HTTP cookies can be accessed via JavaScript, allowing entire sessions to be hijacked and data to be manipulated.
• Ad-Jacking -- The attacker's advertisements are displayed without the user's consent in order to generate revenue.
• Clickjacking -- A hidden overlay on a page can redirect the victim's clicks to perform malicious actions, such as placing orders on other domains.
• Content Spoofing -- JavaScript has full access to the client-side code of a website and can therefore display or modify any content at will.
• Credential Harvesting -- A popup can be used to collect login credentials for specific services.
• Forced Downloads -- It is far easier to force a malware download from a seemingly trusted website.
• Crypto Mining -- The victim's CPU can be exploited to provide processing power for cryptocurrency mining.
• Bypass CSRF Protection -- Cross-Site Request Forgery (CSRF) tokens can be extracted via JavaScript to send forged POST requests.
• Keylogger -- Keystrokes within the browser instance can be captured and recorded.
• Record Audio and Webcam -- After user authorization, the victim's microphone and webcam can be accessed -- all possible with HTML5 and JavaScript.
• Get Geo-Location -- After user authorization, the victim's geographic location can be retrieved. This only works when GPS is enabled.
• Data Exfiltration of HTML5 Web Storage -- HTML5 introduced Web Storage, which allows websites to store data in the browser. JavaScript can access this storage and exfiltrate the data.
• Fingerprinting -- JavaScript makes it trivial to determine the browser name, version, installed plugins, operating system, architecture, system time, language, and screen resolution.
• Network Scanning -- The victim's browser can be leveraged to scan ports and hosts via JavaScript.
• Denial of Service (DoS) -- The victim's browser can unknowingly participate in a DDoS attack against another target.
• Force Browser Crash -- The infected browser can be deliberately crashed.
• Redirection -- A redirect to any arbitrary website can be forced.
• Tabnabbing -- A sophisticated variant of redirection: if no keyboard or mouse events are detected for over a minute, the current web page can be silently replaced with a fake one.
• Capturing Screenshots -- Thanks to HTML5, screenshots of a web page can be taken and transmitted to the attacker.

XSS Penetration Testing Showcase with BeEF

BeEF (The Browser Exploitation Framework) is a penetration testing tool that focuses on executing malicious code within the web browser -- though XSS detection itself is not part of its scope.

Given the growing concern about web-based attacks on clients -- including mobile devices -- BeEF enables professional pentesters to assess the actual security posture of a target environment using client-side attack vectors. Unlike other frameworks, BeEF looks beyond the hardened network perimeter and client system to examine exploitability in the context of the web browser. BeEF connects one or more browsers and uses them as a bridgehead to launch targeted command modules and further attacks on the system from within the browser context. Beyond traditional pentests, this tool is also widely used in Red Teaming engagements, particularly for Lateral Movement.

The following video demonstrates the tool during an attack simulation:

Taking Control of Web Browsers with BeEF [Tutorial]

Conclusion for XSS Attacks

Vulnerabilities of this type pose an unacceptable risk, are incompatible with any reasonable business risk tolerance, and should be remediated immediately after the pentest results are delivered. Consistent IT security for web services can be achieved through regular penetration tests, as XSS attacks are part of every cybercriminal's standard toolkit. Sensitive data such as browser sessions can be stolen, and sophisticated social engineering attacks can originate here to launch further intrusions into the deeper IT infrastructure. Every input parameter must be thoroughly validated to achieve a high and defensible level of web application security.