Web security: XSS
What is XSS?
XSS or Cross Site Scripting is a web application vulnerability that occurs when untrusted data from the user is processed by the web application without validation and is reflected back to the browser without encoding or escaping, resulting in code execution at the browser engine.
Types of XSS
- Reflected XSS or Non-Persistent XSS
- Stored XSS or Persistent XSS
- DOM XSS
- mXSS or Mutation XSS
- RPO XSS or Relative Path Overwrite XSS
Reflected XSS or Non-Persistent XSS
A user sends untrusted data to the browser that it sends them to the server. The server sends the result back to the browser and the user. Here is a link with many useful resources.
Stored XSS or Persistent XSS
Data are sent to the browser that it sends them to the server. The server sends them to a database, the result is sent back to the server, the browser and the user. In this case untrusted data can be stored in a database permanently.
RPO Relative Path Overwrite XSS
Depends on three things
- Stored XSS that allows CSS injection
- URL rewriting (DEMO)
- Relative Addressing to CSS style sheet
How it works
- It takes advantage of CSS parser that it avoids HTML
- URL rewriting to load CSS from the same page
- Works on older versions of IE
- More info
Sources of XSS
- URL, parameters in URL, Headers
- Form data (input box, textarea, checkboxes etc.)
- Files and metadata
Different Contexts in XSS
- URL context
- Script: not only server side but even client side. We must pay attention when developing and deploying code.
A testing tool can be used to discover and explore vulnerabilities too. Here are some of the most common tools: