Cross-Site Scripting 101: Stored vs Reflected, Fortnite, and general sanitization
Cross-site scripting (XSS) attacks consist of injecting malicious code into sites considered safe but vulnerable. The attacker uses a web application to send malicious code to the vulnerable web application server, and when another user makes a request, the malicious script is executed on their machine.
The victim's browser has no way of knowing that the script is malicious and should not be executed, as it comes from a trusted source, in this way, the attacker's script can access any cookie, session token, or any other sensitive information hosted in the victim's browser.
Types of Cross-Site Scripting
Stored XSS attacks occur when the attacker stores a malicious script on a server. It can be through a database, in a forum, or in the comments section, among others. The victim downloads the malicious script from the server when it enters the site where the attacker stored the malicious content. When the victim enters the site, their browser executes the malicious code automatically.
Reflected XSS attacks, also known as non-persistent attacks, are those in which the injected script is reflected to another user through the web application. In an example provided by portswigger, the attacker creates a search and if the inputs are not sanitized, the attacker can inject a script into this input, then when another user makes use of this query that the attacker created, this malicious code will be executed in the victim's browser. Another way to explain it is that the malicious script from the web application is mirrored to the victim's browser. The script is embedded in a link and will be activated when the victim clicks on this link.
The biggest difference between stored and reflected XSS attacks is that stored ones do not need to induce the user to make a request containing the exploit, the exploit is already in the application and only the user is expected to find it.
Blind XSS occurs when the attacker's payload is stored on the server and reflected to the victim via the backend. For example, the attacker injects the payload into a feedback page, when the administrator reviews this feedback, the payload will be loaded into the application, and in this way, it can be executed in any other application.
DOM-Based XSS, also known as client-side XSS consists of an attack that is executed just like in the reflected XSS by means of a malicious URL. The difference is that this attack is executed entirely in the victim's browser by modifying the DOM (Document Object Model). DOM is a platform and interface that allows programs and scripts to access and update content and styles. In an example presented by Acutenetix, the attacker embeds a malicious script in a URL and an attribute such as a document. URL is populated with the attacker's payload. The moment the browser updates the body of the page, the malicious script will be executed. Fortunately, many browsers encrypt characters like < and > causing the attack to fail.
Real-life examples
Between 2015 and 2016 eBay had an XSS vulnerability. The page used a parameter within its url that redirected users to different pages within its platform, but the parameter was not validated. The attackers took advantage of this to inject malicious code into the page. The attackers obtained total control of sellers' accounts, they were able to sell discounted products and steal payment details. These attacks continued until 2017.
Another more recent example of XSS vulnerabilities occurred in 2019, a vulnerability discovered in the famous game Fortnite. When authenticating accounts, Fortnite allows its players to log in through Single Sign-On providers such as Facebook, Google, Xbox, and PlayStation accounts. According to the researchers, the combination of the XSS vulnerability and an issue with epic games' redirection allowed attackers to steal the authentication token from users, causing them to click on a malicious link.
How to prevent XSS attacks?
The PortSwigger portal identified the four most important points to prevent cross-site scripting attacks.
The first is to clean the inputs that users send, filter it as much as possible only obtaining what is expected.
Digging deeper into this point, there are three steps to follow; first, escape the user input, converting the characters received so that they cannot be executed. Then when the user input is validated, any data from the outside is potentially dangerous, cleaning the data must be carried out by removing unwanted data such as HTML tags or any dangerous characters.
The next is that after the user issues the data the user has control of and that the HTTP responses are issued; the response must be encoded to prevent it from being interpreted as active content.
The third point is the use of headers such as Content-Type and X-Content-Type-Options, with this any user can avoid receiving responses with HTML or Javascript content if it is the intention.
Finally, they recommend using the Content Security Policy. Similar to the previous point, this is a header that any modern browser uses. It restricts the use of JavaScript, CSS, or other tools that the browser loads.
References
Fortnite flaws allowed hackers to takeover gamers' accounts. The Hacker News. (2019, January 16). Retrieved July 22, 2022, from https://thehackernews.com/2019/01/fortnite-account-hacked.html
How to detect blind XSS vulnerabilities. Acunetix. (2019, July 5). Retrieved July 22, 2022, from https://www.acunetix.com/websitesecurity/detecting-blind-xss-vulnerabilities/
Inc., F. (n.d.). Content security policy reference. Content. Retrieved July 22, 2022, from https://content-security-policy.com/
JavaScript HTML DOM. JavaScript HTML dom. (n.a.). Retrieved July 22, 2022, from https://www.w3schools.com/js/js_htmldom.asp
Nidecki, T. A. (2022, July 21). Dom XSS: An explanation of dom-based cross-site scripting. Acunetix. Retrieved July 22, 2022, from https://www.acunetix.com/blog/articles/dom-xss-explained/
Protect from cross-site scripting attacks. IBM. (n.a.). Retrieved July 22, 2022, from https://www.ibm.com/garage/method/practices/code/protect-from-cross-site-scripting/
Reflected XSS: How to prevent a non-persistent attack: Imperva. Learning Center. (2022, February 15). Retrieved July 22, 2022, from https://www.imperva.com/learn/application-security/reflected-xss-attacks/
S, K. (n.d.). Cross site scripting (XSS) Cross Site Scripting (XSS) | OWASP Foundation. Retrieved July 22, 2022, from https://owasp.org/www-community/attacks/xss/
What is cross-site scripting (XSS) and how to prevent it?: Web security academy. What is cross-site scripting (XSS) and how to prevent it? | Web Security Academy. (n.a.). Retrieved July 22, 2022, from https://portswigger.net/web-security/cross-site-scripting
What is cross-site scripting? XSS cheat sheet. Veracode. (n.a.). Retrieved July 22, 2022, from https://www.veracode.com/security/xss
What is reflected XSS (cross-site scripting)? tutorial & examples: Web security academy. What is reflected XSS (cross-site scripting)? Tutorial & Examples | Web Security Academy. (n.a.). Retrieved July 22, 2022, from https://portswigger.net/web-security/cross-site-scripting/reflected
What is stored XSS (cross-site scripting)? tutorial & examples: Web security academy. What is stored XSS (cross-site scripting)? Tutorial & Examples | Web Security Academy. (n.a.). Retrieved July 22, 2022, from https://portswigger.net/web-security/cross-site-scripting/stored
XSS attack: 3 real life attacks and code examples. Bright Security. (2022, March 8). Retrieved July 22, 2022, from https://brightsec.com/blog/xss-attack/
Imperva. (2022a). Reflected cross site scripting (XSS) attacks [Graph]. Reflected Cross Site Scripting (XSS) Attacks. https://www.imperva.com/learn/application-security/reflected-xss-attacks/
Imperva. (2022b). What is stored cross site scripting [Figure]. Cross Site Scripting (XSS) Attacks. https://www.imperva.com/learn/application-security/cross-site-scripting-xss-attacks/
Khandelwal, S. (2019, January 16). Fortnite Flaws Allowed Hackers to Takeover Gamers' Accounts [Graph]. Fortnite Flaws Allowed Hackers to Takeover Gamers' Accounts. https://thehackernews.com/2019/01/fortnite-account-hacked.html
Understanding XSS – input sanitization semantics and output encoding contexts. (2013, May 30). [Illustration]. Understanding XSS – Input Sanitisation Semantics and Output Encoding Contexts. https://www.troyhunt.com/understanding-xss-input-sanitisation/