Intro to XSS

Introduction

As web applications become more advanced and more common, so do web application vulnerabilities. Among the most common types of web application vulnerabilities are Cross-Site Scripting (XSS) vulnerabilities. XSS and XSRF vulnerabilities exploit flaws in user input sanitization to insert and execute JavaScript code on the client side, enabling various attacks.

What is XSS

A web application typically renders HTML received from the server. If it fails to sanitize user input, a malicious user can inject JavaScript code, which is executed when another user views the page.

XSS is executed entirely on the client side and does not directly affect the back-end server. While its impact on the server may be low, its high frequency makes it a medium-risk vulnerability. Medium Risk = Low Impact + High Probability.

Risk Management Matrix: Probability vs. Impact, with strategies like Reduce, Avoid, Accept, and Transfer.

XSS Attacks

XSS vulnerabilities can be used for:

• Stealing session cookies by sending them to an attacker’s server.
• Executing malicious API calls like changing passwords.
• Cryptojacking (Bitcoin mining), displaying ads, and more.

Modern XSS attacks are sandboxed within the browser and domain but can still lead to advanced exploits. For example, a skilled attacker might use an XSS to trigger a binary exploit (e.g., heap overflow) in the browser.

Notable Examples:

• Samy Worm (2005): Exploited a stored XSS on MySpace, affecting 1M+ users in a day. Spread through auto-posting a payload with "Samy is my hero."
• TweetDeck XSS (2014): Created a self-retweeting tweet due to an accidental XSS in TweetDeck. Retweeted 38,000+ times in under two minutes.
• Google XSS (2019): Found in XML library used by Google Search.
• Apache Server XSS: Exploited to steal user passwords.

These examples demonstrate that XSS remains a threat even in high-profile web applications.

Types of XSS

There are three main types of XSS vulnerabilities: