Tales of XSS: Navigating Web Vulnerabilities

Rajanagori
4 min readJul 9, 2023

--

Hello everyone! After such a long time on Medium, almost two years, I am here to continue this story in multiple parts so that you won’t get bored!

Today, I would like to share an amazing tale of a warrior from the team of the great vulnerabilities — THE XSS (Cross Site Scripting).

The story begins in the era of the internet and web browsers, a time when social media, banking sectors, healthcare sectors, and almost every other sector relied heavily on the internet, making Confidentiality, Integrity, and Availability (C.I.A) crucial aspects.

This formidable warrior made a significant impact in the late 90s and early 2000s. With the increasing popularity of web applications, security risks also grew as developers started incorporating user-generated content into websites. This is where the warrior exploited the loopholes of Input Validation and Output Encoding, emerging victorious every time.

Initially, XSS attacks were relatively simple, often involving the injection of scripts through user input fields like search boxes or comment sections. As awareness of this vulnerability grew, both security researchers and attackers developed more sophisticated techniques to exploit XSS.

In response to the overwhelming number of vulnerabilities and attacks, security professionals and browser vendors started developing mitigations to minimize the impact of these vulnerabilities. The concept was simple: user input should be validated, and output data should be encoded.

This XSS warrior manifests in three different avatars:

  1. Reflected XSS
  2. Stored XSS
  3. DOM XSS

Reflected XSS

Imagine a magician using a clever technique to make a box disappear when placed inside a paper bag. The magician manipulates the folds of the paper bag in such a way that the box becomes hidden from view, creating the illusion of its disappearance.

Similarly, in the case of reflected XSS, an attacker exploits how a website handles and displays user-entered data. They manipulate the input in a way that the injected malicious code remains hidden within the website’s response.

When a user interacts with the website by submitting input, the website includes that input in its response and displays it back to the user. However, if the website fails to properly validate or sanitize the user input, it may inadvertently execute the injected malicious code.

Just like the magician concealing the box within the folds of the paper bag, the attacker hides the malicious code within seemingly harmless user input. This can deceive the website into displaying the injected code as part of the webpage, potentially leading to unauthorized actions or malicious activities.

To prevent reflected XSS attacks, website developers must ensure proper validation and sanitization of user input before displaying it on the webpage. By carefully examining and filtering the user input, just as the magician inspects the contents of the paper bag, developers can prevent the execution of any malicious code and protect users from potential harm.

Stored XSS

Imagine a skilled magician performing an incredible trick with a deck of cards. The magician asks a participant to select a card and return it to the deck. However, unknown to the participant, the magician has secretly palmed a duplicate of the chosen card. As the magician shuffles the deck and asks the participant to cut it, they skillfully place the duplicate card on top, ready to astound the audience.

Similarly, in the case of stored XSS, an attacker takes advantage of a website’s storage mechanism, such as a database, to inject malicious code that remains stored within the website. This code can be triggered and executed when other users access the compromised web page or when specific events occur.

For instance, let’s say a social media platform allows users to post messages that are then displayed on their profiles. An attacker cleverly crafts a message containing malicious JavaScript code, which gets stored in the platform’s database. Whenever another user visits the attacker’s profile and views the posted message, the injected code executes, potentially compromising their account or performing unauthorized actions.

To prevent stored XSS attacks, website developers must implement strict input validation and ensure that any user-generated content is properly sanitized before being stored. By doing so, just as the magician skillfully conceals the duplicate card, developers can protect the website’s users from the execution of malicious code.

DOM XSS

Imagine attending a magic show where the magician performs a mind-boggling trick with a deck of blank cards. The magician asks an audience member to think of a card and imagine it appearing on one of the blank cards. To everyone’s amazement, the thought-of card materializes on the chosen blank card, seemingly defying the laws of reality.

Similarly, DOM XSS (Document Object Model Cross Site Scripting) involves an attacker manipulating the Document Object Model, which represents the structure of a webpage, to inject and execute malicious code. This type of XSS does not require server-side vulnerabilities and directly affects the client-side code of a web page.

For example, consider an online forum where users can post messages containing HTML content. An attacker exploits a vulnerability in the website’s JavaScript code by injecting malicious code that modifies the DOM when other users view the compromised page. This manipulated code can lead to unauthorized actions, data theft, or the redirection of users to malicious websites.

To prevent DOM XSS attacks, website developers need to implement strict input validation and properly sanitize any user-generated HTML content before it is rendered on the page. By doing so, just like the magician astonishingly materializing the thought-of card, developers can protect users from the execution of malicious code within the DOM.

Remember, it’s crucial to remain vigilant and implement security measures to defend against these XSS vulnerabilities across different attack vectors.

That concludes Part 1 of this captivating tale. Share your thoughts in the comments section: how much did you enjoy this part and what would you like to see in Part 2? Should it focus more on practical implementation or delve deeper into theoretical aspects? Your feedback will shape the next chapter of this enthralling story.

My Social Portals

  1. Raja Nagori | LinkedIn
  2. rajanagori.github.io
  3. twitter.com/RajaNagori7

--

--

Rajanagori
Rajanagori

No responses yet