Skip to content

Types of XSS

There are three main types of XSS: reflected, stored and DOM (Document Object Model) manipulation. We will focus on the Reflected and Stored versions, as the DOM based approach can be seen as an extension of them.

Reflected XSS

Traditionally thought of as the 'least dangerous' of XSS style attacks, here the malicious code is part of the victim's request to the website. While thought of as 'less dangerous', that is not always the case.

Inputs to databases are often sanitised, meaning it can be harder to get a stored XSS attack past the defences.

On the other hand, reflected attacks will tend to crop up in debugging/user information, and are only visible to the user who sent the request. This means that to perform a successful reflected XSS we would need some social engineering to get the victim to follow the link, but the potential impact is still high.

Example

Consider the XSS Example from before. We know the form takes a GET request, then echoes it's value back to the user. Consider what would happen if we could trick the user into clicking the following URL.

../reflected_xss_get.php/?forminput=<script>alert("Pwnd");</script>

For even more fun consider the following, sent as part of an email or IM:

http://172.18.0.1/reflected_xss_get.php/?forminput=<script>alert("Pwnd");</script>

Thus (with a bit of luck) we can get code to be executed on the Victim's machine through a URL.

Note

Even "Better" we could stash some form of redirection payload in what looks like a legitmate URL, for use in a Phishing attempt

For Example as A Nice Safe Link;) in the email system.

Stored XSS

The "Classic" XSS.

In this case the malicious code is stored on the website server itself. Consider the a simple message board, where posts are not sanitised. If the user submits a message containing malicious JS, this will be executed for every user who visits the page.

This is certainly the type of thing we should be on the lookout for. Any user specified data that is stored, then displayed should be examined, and filtered.

Overall this is a more dangerous style of attack, as it can target a wide range of users without us having to put in much effort. However, it is 'rarer' in the wild, mostly because people are paying more attention to the dangers of XSS here.

Example

In a forum or post based system, we could create a new post with the contents

Evil Post
<script>alert("hacked")</script>

If this is not sanitised before being stored or displayed. Any use who views this message will trigger the payload.

Dom Based XSS

Is where we can inject elements into the Document Object Model (DOM) of a website. These are typically a reflected style of XSS, but can be also be stored (for examine by setting user preferences).

DOM based XSS, abuses JavaScript functions such as the document.* methods. Where information about the current page is read and written.

Usually, DOM based XSS will use some form of server query (the result of a GET or POST) request to change the output on the page. This happens in much the same way as a reflected XSS attack.

However, another common method is to take advantage of hash fragments, these are elements of the URL separated by a hash token. For example 8_Web_XSS/TypesOfXss/#dom-based-xss. These are often used for internal navigation between anchors on the page. But WILL not be sent to the server for processing. This means that we cannot rely on any server based filtering and detection.

Example

Consider a page that uses javascript to show the current URL

<script>
document.write("<p> Current URL is: " +  document.baseURI + " </p>")
</script>

Using the URL www.evil.org/page#<script>alert("hacked")</script> Will trigger the XSS vulnerablity.

Preventing DOM based attacks can be harder, as we may not be able to rely on the server side input sanitisation. Instead we need to focus on the methods used to write data using JavaScript. Functions that are unsafe include:

  • document.write
  • element.innerHTML

However, functions like element.textContent or element.innerText are likely to be safe, as they are designed to deal with text, and filter HTML data.

Summary

In this article we have had an overview of different "types" of XSS. This can give us some idea of where the issue may occur in our programs.

While the most "Famous" (and arguably the most dangerous) is the stored XSS attack. Both reflected and DOM based attacks can also cause loss of information.

In the next article we will look at types of XSS Payloads, and see examples of How and attacker can use it.

Back to top