The basics of Cross-site Scripting (XSS) – 10 minute mail

A lot can go wrong on the Internet and XSS is without a doubt one of the most common web security issues we see today. Without going too in-depth, there are three kinds of XSS based on vulnerability impact, starting with the worst kind:

  1. The persistent XSS – This is when an attacker could inject script code onto your site permanently and every user who views the page where the script is injected will execute it. An example of this kind of XSS is the Samy worm that exploited MySpace with a persistent XSS.
  2. The reflected XSS – This is when an attacker could forge a link to inject script code that will execute from your website. This is also the most common type of XSS and is often used by spammers or others with malicious intent. With this an attacker could change the HTML to look like the login page of the vulnerable site, fooling the user to give them their credentials (also known as Phishing).
  3. The Self-XSS – This kind of XSS needs user interaction, which means that the attacker must trick the user to execute the script himself. For example, the attacker could make a link displaying “close page”, and when the user clicks it the script will run. This kind of XSS is very similar to the reflected XSS, but the need of user interaction makes it harder for the attacker to get the user to run his script.

What can we do to protect ourselves against attacks like this?

Some of the popular browsers actually have built-in protection against reflected XSS and to some extent, Self-XSS. Other browsers have plugins to help with XSS issues, like NoScript.

Disposable mail checks your web app for a range of XSS vulnerabilities. Sign up for our 14-day free trial to run a scan and see if your site is vulnerable.

Want to know if your browser has built-in XSS protection? Click here to find out.

Got questions? Tweet us at @detectify or shoot an email to [email protected]! You can also read more XSS articles and updates for examples, explanations, and remediation tips.


By: Mathias Karlsson


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

What is Cross-site Scripting (XSS) and how can you fix it? – 10 minute mail

Cross-site scripting (XSS) is a type of attack that can be carried out to compromise users of a website. The exploitation of a XSS flaw enables attackers to inject client-side scripts into web pages viewed by users. Listed as one of the OWASP Top 10 vulnerabilities, XSS is the most common vulnerability submitted on the Disposable mail Crowdsource platform therefore a security risk our tool continually checks for. 

Image depicting cross-site scripting XSS

Cross-site scripting: What can happen?

The attacker may:

  • gain access to users cookies, session IDs, passwords, private messages, etc
  • read and access the content of a page for any attacked user and therefore all the information displayed to the user
  • compromise the content shown to the user

A notable XSS attack was the Tweetdeck XSS worm published in 2014. It allowed the attacker to spread his malicious payload to all Tweetdeck users via Twitter, hence causing a mass compromise of Twitter accounts.

Example of Cross-site scripting (XSS)

To show how the vulnerability works, let’s look at an example. Say you have a search box on your site. If there is no result, the site should say “Could not find any pages when searching for [what the user searched for].”.

Doing this in PHP it might look something like this:

This would, in other words, output the user supplied data (the search query) straight into the HTML document. If the search query contains HTML, the user’s web browser will render it. Imagine an attacker sends a link like the following to a victim:

http://example.com/search.php?query=

This would make the victim search for:

 

Since there is no validation of the data, the target browser will render:

Could not find any pages when searching for 

The injected HTML will be executed. The HTML contains a script tag which will evaluate JavaScript. The JavaScript will grab the user’s cookie and send it off bounds to a third party domain of the attackers control. The attacker will then be able to set their own cookie to the victim’s stolen one, hence gaining access the victim’s data. This is a common example of a privilege escalation attack by the means of cross-site scripting and session riding.

Cross-site scripting Remediation

The remediation of XSS vulnerabilities is heavily context-dependent and the patches vary. Here are some general tips (where UNTRUSTED is where user supplied data).

HTML Body

Example

UNTRUSTED

Solution
Convert to HTML entities (ie. & to & etc).
See PHP htmlspecialchars()

HTML Attributes

Example


Solution
Convert the untrusted user input to HTML entities to prevent the creation of other attributes and nver let any user data into the “id”, “class” or “name” parameters. Be very cautious when providing user data into DOM event handlers (e.g. onclick), at they are made to execute JavaScript.

Untrusted URL

Example

link

Resources

This article was updated on 7 August 2018.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.