{"id":3810,"date":"2020-10-14T11:25:00","date_gmt":"2020-10-14T11:25:00","guid":{"rendered":"http:\/\/the-codest.localhost\/blog\/web-app-security-xss-vulnerability\/"},"modified":"2026-04-27T10:24:05","modified_gmt":"2026-04-27T10:24:05","slug":"web-app-security-xss-vulnerability","status":"publish","type":"post","link":"https:\/\/thecodest.co\/en\/blog\/web-app-security-xss-vulnerability\/","title":{"rendered":"Web app security – XSS vulnerability"},"content":{"rendered":"\n

Attack scenario<\/h2>\n\n\n\n
    \n
  1. The attacker locates the XSS vulnerability on a website used by the victim, e.g., a bank’s website<\/li>\n\n\n\n
  2. The victim is currently logged on to this page<\/li>\n\n\n\n
  3. The attacker sends the victim a crafted URL<\/li>\n\n\n\n
  4. The victim clicks on the URL<\/li>\n\n\n\n
  5. On the victim’s bank<\/a> website, JavaScript<\/a> code<\/a> starts executing to intercept the user’s data<\/a> or execute a transfer on his behalf to the attacker’s account<\/li>\n<\/ol>\n\n\n\n

    It is worth noting that operations performed on behalf of the victim may be invisible to the victim, as they may take place in the background using the bank’s API<\/a>, or the attacker may perform them later with the data needed for authentication, tokens, cookies, etc.<\/p>\n\n\n\n

    XSS types<\/h2>\n\n\n\n

    1. Reflected XSS <\/h3>\n\n\n\n

    This is one where HTML\/JavaScript code contained in any parameter (e.g. GET, POST or cookie) is displayed in response.<\/p>\n\n\n\n

    A page with a text input to search for something that puts the parameter ?search=foo<\/code> in the URL ending when querying the API. After entering any phrase, if it is not found, a return message is placed in HTML ex.<\/p>\n\n\n\n

    <div>No result found for <b>foo<\/b><\/div><\/code><\/pre>\n\n\n\n
    We can try to put in the URL ?search=<script>alert('XSS')<\/script><\/code>..<\/p>\n\n\n\n
    2.DOM XSS <\/h3>\n\n\n\n
    This is when its execution is enabled by the use of dangerous functions in JavaScript, such as `eval`<\/code> or `innerHtml`<\/code>. The “Live example” below shows a DOM XSS attack based on the `innerHtml`<\/code> function.<\/p>\n\n\n\n
    3. Stored XSS <\/h3>\n\n\n\n
    This is one where the malicious code gets written on the server side. For example, we may send a comment with malicious code to a blog post that is uploaded to the server. Its task is, for example, to wait for the administrator’s moderation and then to steal his session data, etc.<\/p>\n\n\n\n
    Injection methods<\/h2>\n\n\n\n
    1. In the tag content<\/p>\n\n\n\n
    `onerror=alert('XSS')`<\/code>into<\/p>\n\n\n\n
    <img src onerror=alert('XSS') \/><\/code><\/pre>\n\n\n\n
    2. In the content of the attribute<\/p>\n\n\n\n
    `\" onmouseover=alert('XSS')`<\/code> into<\/p>\n\n\n\n
    <div class=\"\" onmouseover=alert('XSS')\"><\/div><\/code><\/pre>\n\n\n\n
    <\/p>\n\n\n\n
      \n
    1. In the content of the attribute without the quotes<\/li>\n<\/ol>\n\n\n\n
      x onclick=alert('XSS')<\/code>into<\/p>\n\n\n\n
      <div class=x onclick=alert('XSS')><\/div><\/code><\/pre>\n\n\n\n
      <\/p>\n\n\n\n
        \n
      1. In the href<\/code>ef attribute<\/li>\n<\/ol>\n\n\n\n
        javascript:alert('XSS')<\/code> into<\/p>\n\n\n\n
        <a href=\"javascript:alert('XSS')\"><\/a><\/code><\/pre>\n\n\n\n
        <\/p>\n\n\n\n
          \n
        1. In the string inside JavaScript code<\/li>\n<\/ol>\n\n\n\n
          \";alert('XSS')\/\/<\/code> into<\/p>\n\n\n\n
          <script>let username=\"\";alert('XSS')\/\/\";<\/script><\/code><\/pre>\n\n\n\n
            \n
          1. In the attribute with the JavaScript event<\/li>\n<\/ol>\n\n\n\n
            &#39;);alert('XSS')\/\/<\/code> where &#39;<\/code> is a single quote, into<\/p>\n\n\n\n
            <div onclick=\"change('&#39;);alert('XSS')\/\/')\">John<\/div><\/code><\/pre>\n\n\n\n
            <\/p>\n\n\n\n
              \n
            1. In the href<\/code> attribute inside the JavaScript protocol<\/li>\n<\/ol>\n\n\n\n
              %27);alert(1)\/\/<\/code> where %27<\/code> is a single quote, into<\/p>\n\n\n\n
              <a href=\"javascript:change('%27);alert(1)\/\/')\">click<\/a><\/code><\/pre>\n\n\n\n

               <\/code><\/p>\n\n\n\n
              Live example<\/h3>\n\n\n\n
              \n