Cross-site Scripting Is an Underrated Vulnerability

0
84

Find out Why Cross-site Scripting (XSS) is an underrated vulnerability and how this article will transform your thought.

By Pedro Tavares, Founder of CSIRT.UBI & Cyber Security Blog seguranca-informatica.pt

Cybersecurity attacks are an enormous challenge from the point-of-view of people, organization and nations. Also called cyber attacks, they represent a malicious attempt by an individual or organization to breach the information system of another individual or organization.

For many years, an injection vulnerability has positioned itself in OWASP’s TOP 10 vulnerabilities — Cross-site scripting, also known as XSS. These type of attacks work by injecting some piece of code into a benign and trusted web application. It occurs when an adversary uses a web application to send malicious code, typically in the form of a browser side script, to different end users.

The flaws that can be exploited by adversaries are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

This article aims to give a lot of things we can do with XSS — an underrated vulnerability.

The Art of XSS

The principle of XSS is always executed malicious JavaScript code in the victim’s browser. There are different ways of achieving this goal, and they are often divided into three types, namely:

Persistent XSS: Malicious payload originates from the website’s database.

Reflected XSS: Malicious payload originates from the victim’s request.

DOM-based XSS: The vulnerability is in the client-side code rather than the server-side code.

XSS and the Hackers’ Inspiration

XSS is an underrated vulnerability. In fact, there are three good reasons for that: (i) it’s a client-side vulnerability, (ii) many white hats just need that pop up for proofs-of-concept, and (iii), most of the black’s hats don’t know enough JavaScript to make much money with XSS.

XSS is a powerful attack vector to inject malicious payloads and can be used to impersonate something as well. There are a lot of things that we can do with XSS. Next, a list with possible scenarios used by adversaries in real attacks is presented.

Ad-Jacking: Adversaries can inject its own ads in a legitimate website to make money easily and based on a persistent XSS.

Click-Jacking: Hidden overlays can be created in a website to hijack victim clicks and to perform malicious actions such as redirects to login pages and exhibit false payment forms.

Session Hijacking: HTTP cookies can be accessed via JavaScript whenever the HTTP ONLY flag is not present in the cookies.

Content Spoofing: JavaScript is very powerful. In this way, an adversary can modify a page with desired content as the JavaScript has full access to client-side code.

Credential Harvesting: Victims put their own credentials in a fancy pop-up created by adversaries with the goal of harvest their credentials.

Forced Downloads: There are several application vulnerabilities that hackers are leveraging. One of the most popular examples is the Flash Player. Adversaries can force the download from a trusted website that the victim is visiting.

Crypto Mining: Adversaries can use the victim’s CPU power to mine cryptocurrency without its consent and knowledge.

Bypassing CSRF protection: Adversaries can make POST requests with JavaScript. They can collect and submit a CSRF token and steal data or even execute critical operations in a third-party service.

Keylogging:  Anything that victim’s type in their keyboard can be harvested.

Recording Audio: – It requires authorization from the user but adversaries can access microphones. This is possible from HTML5 and JavaScript.

Taking pictures: Adversaries can take pictures from the victim’s webcam (this requires authorization from the user).

Geo-location: That requires authorization from the user but adversaries can access the victim’s geo-location.

Stealing HTML5 web storage data:  HTML5 introduced a new feature, web storage. Now a website can store data in the browser for later use and of course, JavaScript can access that storage via the window.localStorage() and window.webStorage().

Browser & System Fingerprinting: JavaScript makes it a piece of cake to find browser name, version, installed plugins and their versions, operating system version, architecture, system time, language and screen resolution.

Network Scanning: – Victim’s browser can be abused to scan ports and hosts with JavaScript.

Crashing Browsers – Adversaries can crash the browser with flooding them with stuff.

Stealing Information – It’s possible to grab information from the webpage and send it to a malicious server.

Redirecting: Adversaries can use JavaScript to redirect users to any webpage.

Tab-napping: Just a fancy version of redirection. For example, if no keyboard or mouse events have been received for more than a minute, it could mean that the user is afk and adversaries can sneakily replace the current webpage with a fake one.

Capturing Screenshots – Adversaries can take screenshots of a webpage. Blind XSS detection tools have been doing this before it was cool.

Considerations

JavaScript is a powerful language and can be used to manipulate the user’s behavior when they are visiting a web page. Many times, it’s considered as an underrated vulnerability but the malicious horizon is giant — as observed during this article.

Living in this digital era, you always should suspect something strange.

For developers, there are three brilliant kinds of stuff that I love: (i) escaping, (ii) validating input via a whitelist, and (iii), sanitizing. The use of code-review, automatic static code analysis, and secure code must be always a mandatory procedure implanted in development teams.

Finally, next time you find an XSS vulnerability, report it. If you are not attended at the first time, then change the PoC. Try submitting an exploit to steal data or other critical stuff — surely, it will have another impact.

About the Author

Pedro Tavares is a cybersecurity professional and a founding member and Pentester of CSIRT.UBI and the founder of seguranca-informatica.pt. In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, hacking, cybersecurity, IoT and security in computer networks.  He is also a Freelance Writer.