Top 10 Latvia-Based Software Development Companies
Learn about Latvia's top software development companies and their innovative solutions in our latest article. Discover how these tech leaders can help elevate your business.
XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. The main effects of this vulnerability are the possibility of execution of any actions in the context of the logged-in user, and reading any data in the context of the logged-in user.
It is worth noting that operations performed on behalf of the victim may be invisible to the victim, as they may take place in the background using the bank’s API, or the attacker may perform them later with the data needed for authentication, tokens, cookies, etc.
This is one where HTML/JavaScript code contained in any parameter (e.g. GET, POST or cookie) is displayed in response.
A page with a text input to search for something that puts the parameter ?search=foo
in the URL ending when querying the API. After entering any phrase, if it is not found, a return message is placed in HTML ex.
<div>No result found for <b>foo</b></div>
We can try to put in the URL ?search=<script>alert('XSS')</script>
..
This is when its execution is enabled by the use of dangerous functions in JavaScript, such as `eval`
or `innerHtml`
. The “Live example” below shows a DOM XSS attack based on the `innerHtml`
function.
This is one where the malicious code gets written on the server side. For example, we may send a comment with malicious code to a blog post that is uploaded to the server. Its task is, for example, to wait for the administrator’s moderation and then to steal his session data, etc.
1. In the tag content
`onerror=alert('XSS')`
into
<img src onerror=alert('XSS') />
2. In the content of the attribute
`" onmouseover=alert('XSS')`
into
<div class="" onmouseover=alert('XSS')"></div>
x onclick=alert('XSS')
into
<div class=x onclick=alert('XSS')></div>
href
ef attributejavascript:alert('XSS')
into
<a href="javascript:alert('XSS')"></a>
";alert('XSS')//
into
<script>let username="";alert('XSS')//";</script>
');alert('XSS')//
where '
is a single quote, into
<div onclick="change('');alert('XSS')//')">John</div>
href
attribute inside the JavaScript protocol%27);alert(1)//
where %27
is a single quote, into
<a href="javascript:change('%27);alert(1)//')">click</a>
eval
or Function
with untrusted user data.innerHTML
, outerHTML
, insertAdjacentHTML
, ocument.write
. Instead, you can use functions that assign text directly to these elements, such as textContent
or innerText
.location = 'javascript('XSS')'
.DOMPurify
..html
or .svg
files. You can create a separate domain from which the uploaded files will be served.Content-Security-Policy
mechanism.If you find this article interesting, follow Lukasz on Github: https://github.com/twistezo
Read more:
Data fetching strategies in NextJS