Once again we will be using DVWA to demonstrate two basic XSS attacks. If you missed the article explaining SQL Injection, you can check it out here.
Basic XSS guide
Before we begin, it should be mentioned that many times web developers put a limit on the characters that can be inputted in an input-box (e.g. in an X login input-box the maximum characters that can be inserted are 16). In a situation like that, in order to test our scripts, no matter if the attack is a SQL injection or XSS, we need to interact with the website’s source code locally. A useful tool for that is firebug for Firefox. As you can see on the picture below, the number of characters that fit on the “Message” input-box has been changed from 50 to 500. This means that now we are able to input scripts up to 500 characters long.
Reflected XSS vulnerability is by far the most common type. In simple words, what it does is to execute the script that we insert, locally in our browser. But how can we take advantage of this? For our first attack we’ll input in the “Message” input-box a html script “<img src= “http://i.imgur.com/OzEyw.jpg”> which (locally) inserts the “http://i.imgur.com/OzEyw.jpg” image on the input-box. As you can see on the picture below, the script has been added in the URL. I could send that URL to a victim, his browser would execute the same script since it’s provided in the URL and he would get the same results. Now, what if instead of that “img src” I had used a malicious URL link? Or what if I had used a script that grabs your cookies and sends them to me? 🙂 xss3
Advantages and Disadvantages
The advantage is that the scripts are executed locally in our browsers, which means you leave no traces. Shorten link tools can be used to hide the script from URL.
The disadvantage is that as soon as the victim opens your (shorten) link the full URL (included the script) is visible. You need some social engineering skills to fully succeed with this one.
Stored or Persistent XSS attack is similar to the Reflected, but in this case our scripts are stored in the websites database. This can occur when a vulnerable input-box inserts data in a database (e.g. in a register form). For our example we’ll use a simple script “<iframe src=”http://malwebsite.com”></iframe>” which will add a frame with the URL “http://malwebsite.com”. As you can see on the picture below, the URL hasn’t change, which means that every single visitor of the legitimate page will be presented with the frame that we’ve added.
Advantages and Disadvantages
This kind of attack can be proven very devastating. It can be used for massive phishing attacks, cookie grabbing, installation of viruses, take control of the website’s visitors, even take control over the web server itself, etc etc. An example, with a small help from tools such as Metasploit and BeeF, stored XSS allows you to create your own army of bots, which can used for ddos attacks.
The biggest disadvantage is that you interact with the web server since you insert data, which means that you leave traces.
Once again, if you have any questions feel free to leave a comment, contact us or even contact me directly.