# XSS Cross site scripting attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script (using JavaScript for instance) to a different end user. ## Introduction This page highlights the basic principles of defending against XSS, regardless of the attack vector. We will, however, not dig into the negative repercussions that XSS attacks could cause; for more information regarding further exploitations of this attack, [please take your time reading this](https://owasp.org/www-community/attacks/xss/). Even if your server is secure, any hacker's best target is the web browser. The browsers execute any JavaScript code that appears on any web page. #### Since the cross-site scripting attack is a really common one, we can divide it into three types: * **Stored XSS.** * **Reflected XSS.** * **DOM-Based XSS.** ## Stored Cross-Site Scripting Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then is targeted by the malicious script from the server when it requests its stored information. Stored XSS is also sometimes referred to as Persistent or Type-I XSS. ### Escaping HTML Characters The first step towards preventing stored cross-site scripting ideally means escaping all dynamic content coming from a database, such that the browser interprets the content of HTML tags, instead of interpreting the entire content as raw HTML. | **Character** | **Entity encoding** | | ------------- | ------------------- | | & | **\&** | | **'** | **\'** | | **<** | **\<** | | **>** | **\>** | #### As so, an example of how escaping and displaying the retrieved information from the database could look like: ```markup

Hello, this is the message: <script>alert("Hey")</script>

``` This conversion of escaped characters happens, of course, after the browser has constructed the DOM for the page, such that it will not execute the `" class UserProfilePage extends React.Component { render() { return (

Hello, this is the message: {message}!

); } } ``` {% hint style="danger" %} Although front-end frameworks tend to already escape dynamic content, this is only limited to actually displaying it. If there is a case of using that content within `,

` the developer should take other defensive measures of making sure that the retrieved data is properly escaped. {% endhint %} ### Implementing a Content Security Policy \[CSP] We will dedicate an entire page for everything related to CSP, however, it is worth mentioning some general aspects of how CSPs protect against cross-site scripting. Modern browsers allow websites to set a content security policy, which you can use to lock down JavaScript execution on your site. A very basic policy that limits the imported scripts of a page to the same domain(`self`), and tells the browser that inline JavaScript should NOT be executed. ```http Content-Security-Policy: script-src 'self' https://scripts.github.com ``` You can also set your site’s content security policy in a `` tag in the HTML of your web pages. ## Reflected Cross-Site Scripting Reflected attacks are those where the injected script is reflected off the web server, such as in an error message, search results, or any other response that includes some or all of the user input part of the request. When a victim is tricked into clicking on a malicious link, submitting a specially crafted form, or even just browsing a malicious site, the injected code "travels" to the vulnerable website, which reflects the attack back to the user’s browser. The browser then executes the code because it came from a “trusted” server. Reflected XSS is also sometimes referred to as Non-Persistent or Type-II XSS. ### Escapic Dynamic Content from the HTTP Requests This mitigation closely follows the one discussed at 2.1.1. Whether the dynamic content comes from the backend/ database or the HTTP request itself, it is escaped in the same way. Now luckily, modern front-end templates escape all variables, regarding where they came from(HTTP request or backend). {% hint style="warning" %} Common target areas for reflected XSS are search pages and error pages since they display parts of the query string back to the user. {% endhint %} ## Document Object Model \[DOM]-Based Cross-Site Scripting DOM-based XSS vulnerabilities usually arise when JavaScript takes data from an attacker-controllable source, such as the URL, and passes it to a sink that supports dynamic code execution, such as `eval()` or `innerHTML`. This enables attackers to execute malicious JavaScript, which typically allows them to hijack other users' accounts. Reflected and Stored XSS are *server-side* injection issues while DOM-based XSS is a *client (browser) side* injection issue. With Reflected/Stored the attack is injected into the application during server-side processing of requests where untrusted input is dynamically added to HTML. For DOM XSS, the attack is injected into the application during runtime in the client directly. {% hint style="info" %} Take a look at [**this awesome resource on DOM XSS**](https://domgo.at/cxss/intro)( analyzing the source code and finding the vulnerabilities). {% endhint %} ### Vulnerable code example #### Here you have an example of how a vulnerable page could look like, using HTML5 and JavaScript: ```javascript function refreshItems() { const type = (new URL(location.href)) .searchParams.get('filter') .replace('+', ' '); const activeItemLink = document.querySelector(`.itemlink[data-type=${type}]`); if(activeItemLink) { activeTab.classList.add('active'); } // Search items const items = type ? data.filter(item => { return item.type === type; }) : data; // Show current type name document.getElementById('currentItemName').innerHTML = type; // !!!! no input validation before appending the value to DOM // here we basically append the type value to the ODM by passing it // to the innerHTML of the current item. // Display items let itemsHTML = ''; // To render and update each active item, // it is extracted from the URL query parameter filter items.forEach(item => { itemsHTML == `

${item.name}

${item.description}

${item.owner}

`; }); document.getElementById('list').innerHTML = itemsHTML; } document.addEventListener('DOMContentLoaded', () => { const itemLinks = document.getElementsByClassName('itemlink'); itemLinks.foreach(link => { link.addEventListener('click', (event) => { location.search = `?filter=${event.target.innerText}`; }); }); refreshItems(); }) ``` #### As you can tell from this line: ```javascript document.getElementById('currentItemName').innerHTML = type; ``` We are appending the value of the current item's name to the DOM without any input validation, and this is vulnerable to DOM XSS injection, such that should an attacker input a malicious injection, our item's listing will execute the injection. ### Mitigation We will follow suit with the Stored XSS and Reflected XSS defensive techniques, in the sense that first things first we have to escape all user input. #### Since our code is plain JavaScript, we have to create a new function that does that for us: ```javascript function escapeHTML(html) { return html .replace(/&/g, '&') .replace(//g, '>') .replace(/Takeaways #### All in all, by ensuring that: 1. Dynamic content is always escaped, regardless of its origin. 2. JavaScript execution is locked down, with the use of CSP. 3. Both 1. and 2. are followed simultaneously. A developer will leave little to no room to XSS attacks in their application. {% hint style="info" %} You can find more details about this topic here: * [Stored XSS Example](https://application.security/free-application-security-training/owasp-top-10-stored-cross-site-scripting) * [Reflected XSS Example](https://application.security/free-application-security-training/owasp-top-10-reflected-cross-site-scripting) * [DOM XSS Example](https://application.security/free-application-security-training/owasp-top-10-dom-cross-site-scripting) * [XSS Prevention Cheatsheet\[OWASP\]](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) * [DOM XSS Prevention Cheatsheet\[OWASP\]](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html) * [What is DOM-based XSS?](https://portswigger.net/web-security/cross-site-scripting/dom-based) {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://smadi0x86-blog.gitbook.io/smadi0x86-playground/offensive-security/web-attacks/client-side/xss.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.