Is XSS Dangerous?
you want will be run in the victim’s browser in the context
of the vulnerable web page
Pop-up alerts and prompts
Access cookies/session tokens
“Circumvent” same-origin policy
Virtually deface web page
Detect installed programs
Detect browser history
Capture keystrokes (and other trojan functionality)
Port scan the local network
Induce user actions…………………So on..
Types of XSS
Stored XSS (a.k.a. “Persistent XSS”)
DOM Based XSS
HTML returned to victim:
<div id="pageTitleTxt"> <h2><span
class="highlight">Search Results</span><br />
exploited web page
More dangerous than Reflected XSS
Has resulted in many XSS worms on high profile sites like MySpace and
DOM Based XSS
DOM Based XSS (or as it is called in some texts, “type-0 XSS”) is an XSS
attack wherein the attack payload is executed as a result of modifying the
DOM “environment” in the victim’s browser used by the original client side
script, so that the client side code runs in an “unexpected” manner
Often fail to test a substantial fraction of a web
application’s logic ..
Especially when this logic is invoked from pages that can
only be reached after filling out complex forms that check
the correctness of the provided values.
Black Box testing
Detect input vectors.
Analyze each input vector to detect potential vulnerabilities.
Evasion Cheat Sheet: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
For each test input attempted in the previous phase, the tester will
analyze the result and determine if it represents a vulnerability that has a
realistic impact on the web application's security.
Gray Box testing
Gray Box testing is similar to Black box testing with partial knowledge of the
Encode HTML Output
If data came from user input, a database, or a file
Not 100% effective but prevents most vulnerabilities
Encode URL Output
If returning URL strings
How To: Prevent Cross-Site Scripting in ASP.NET
XSS Prevention Cheat Sheet: