245CT: 0103
XSS:
- High on OWASP top 10, (problem probably will never go away)
- "Simple" but difficult to fix
Example:
- Attacker injects code onto the page
- Usually JS
www.evil.com/input=<script>alert1</script>
Identifying XSS:
- Do we filter input when it arrives?
- Do we filter output before displaying.
"Page accessed"
We can use XSS to create reflected popups on the local display.
<script>alert(1)</script>
"Reflected XSS alert"
- Notice the alert ^ information is in URL
http://172.17.0.1/reflected_xss_get.php?forminput=<script>alert("Hello World")</script>
"Hello World alert"
- We have included script in form data
Type of XSS:
Stored:
- 'Classic'
- Stored in the server, before return
- Anyone who accesses site can be affected
Reflected:
- Least dangerous, only target user who puts input.
DOM Based
- Objecting into the document object model
Attack types:
Popups
Redirection
- <script>window.location="http://172.17.0.1/index.php"</script>
Stealing Information
- Cookies
- Local storage
- Passwords
Snarfing Passwords
- Find user with password manager
- Setup fake webpage to take creds
Session jacking:
- Cookie used for Identifcation on the site
- We can get it using JS
- Store a redirect to a site we control, send cookie, have site steal cookie, Login as user
- Store an image that takes the cookie, site cant get to page but still performs task.
- Exploiting GETs allowing to append to image tag. Cookie sent to server
Browser dev tools, console terms:
- alert(1)
- window.location - Give location on site
- alert(document.cookie) - Reveal cookie
We can display data from the page we are on:
alert(localStorage.key(0) + " " + localStorage.getItem(localStorage.key(0))) - Grabbing local storage
"Gathering storage data"