XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users.
The main effects of this vulnerability are the possibility of:
It is worth noting that performing operations on behalf of the victim may be invisible to the victim, as it may take place in the background using the bank’s API or the attacker may perform it in some time with the data needed for authentication, tokens, cookies, etc.
Reflected XSS
It is one where HTML/JavaScript code contained in any parameter (e.g. GET, POST or cookie) is displayed in response.
A page with a text input to search for something that puts the parameter ?search=foo
in the URL ending when querying the API. After entering any phrase, in case of not finding it, we get a return message placed in HTML ex.
<div>No result found for <b>foo</b></div>
We can try to put in URL ?search=<script>alert('XSS')</script>
.
DOM XSS
This is when its execution is possible due to the use of dangerous functions in JavaScript, such as eval
or innerHtml
. Below “Live example” shows DOM XSS attack based on innerHtml
function.
Stored XSS
It is one where the malicious code gets written on the server side. For example, we may send comment with malicious code to a blog post that is uploaded to the server. His task is, for example, to wait for the administrator’s moderation to steal his session data, etc.
In the tag content
onerror=alert('XSS')
into
<img src onerror=alert('XSS') />
In the content of the attribute
" onmouseover=alert('XSS')
into
<div class="" onmouseover=alert('XSS')"></div>
In the content of the attribute without the quotes
x onclick=alert('XSS')
into
<div class=x onclick=alert('XSS')></div>
In the href
attribute
javascript:alert('XSS')
into
<a href="javascript:alert('XSS')"></a>
In the string inside JavaScript code
";alert('XSS')//
into
<script>let username="";alert('XSS')//";</script>
In the attribute with the JavaScript event
');alert('XSS')//
where '
is a single quote, into
<div onclick="change('');alert('XSS')//')">John</div>
In the href
attribute inside the JavaScript protocol
%27);alert(1)//
where %27
is a single quote, into
<a href="javascript:change('%27);alert(1)//')">click</a>
https://codesandbox.io/s/xss-vulnerability-iedok
eval
or Function
by passing untrusted user data to them.innerHTML
, outerHTML
, insertAdjacentHTML
, document.write
. Instead, you can use functions that assign text directly to these elements, such as textContent
or innerText
.location = 'javascript('XSS')'
.DOMPurify
..html
or .svg
files. You can create a separate domain from which the uploaded files will be served.Content-Security-Policy
mechanism.