DEV Community

Cover image for What is Cross-site Scripting (XSS) ? Types of XSS!
Amr Elmohamady
Amr Elmohamady

Posted on • Updated on

What is Cross-site Scripting (XSS) ? Types of XSS!

What is Cross-site Scripting?

Cross-site Scripting (which is called XSS) is a type of security vulnerability typically found in web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users.

So, Yes it's client side hacking not in Node.js but just plain JavaScript.

What attackers do is sending script-injected link to victims when victims open the link, the browser opens the site and also executes the XSS script which steal the user's data from session storage or cookies like

document.cookie
Enter fullscreen mode Exit fullscreen mode

Then, sending the user's data to the attacker with an Http request.
Here's an image which simplify the process:

XSS Process


Types of XSS:

1- Stored XSS

Well, it's the simplest kind of XSS Attacks; XSS Script is sent to the database and called each time a page is loaded.
Ex:
A comments section in a blog the attacker puts the XSS script and submit it as a comment so it appears each time the page is loaded to do its job.

2- DOM XSS:

This kind is somehow tricky as this is the most one I like.
It happens mostly in the URL using

document.location
Enter fullscreen mode Exit fullscreen mode

When JavaScript takes data from an attack-controllable source (URL), and it passes it in the HTML using innerHTML which enables attackers to execute malicious scripts.

For avoiding this type of XSS use innerTEXT instead of innerHTML, You may need to use innerHTML when you want to add dynamic HTML in your page so you can filter inputs from the Backend.

Ex:
http://www.example.com/userdashboard.html?context=Mary is a dashboard customized for Mary. It contains the string Main Dashboard for Mary at the top.

Here is how a DOM-based XSS attack can be performed for this web application:

The attacker embeds a malicious script in the URL: http://www.example.com/userdashboard.html#context=SomeFunction(somevariable).
The victim’s browser receives this URL, sends an HTTP request to http://www.example.com, and receives the static HTML page.
The browser starts building the DOM of the page and populates the document.URL property with the URL from step The browser parses the HTML page, reaches the script, and runs it, extracting the malicious content from the document.URL property.
The browser updates the raw HTML body of the page to contain: Main Dashboard for

<script>
SomeFunction(somevariable)
</script>
Enter fullscreen mode Exit fullscreen mode

The browser finds the JavaScript code in the HTML body and executes it.

3- Reflected XSS (Non-persistent XSS):

The most common way for cross-site scripting.
Reflected XSS is not a persistent attack, so the attacker needs to deliver the link to each victim. These attacks are often made using social networks.
In this case, the attacker’s payload has to be a part of the request that is sent to the web server. It is then reflected back in such a way that the HTTP response includes the payload(script) from the HTTP request. Attackers use malicious links, phishing emails, and other social engineering techniques to lure the victim into making a request to the server. The reflected XSS payload is then executed in the user’s browser.


How to discover various XSS types?

Easiest way is to validate inputs and use an XSS Scanner.

An Automated web security scanner checks your site for vulnerabilities. ... A website that's vulnerable to Cross-site scripting (XSS) will allow an attacker to inject browser-side scripts into web pages viewed by users.


Follow the blog for more useful articles

Twitter: @Amr__Elmohamady

Top comments (7)

Collapse
 
antogarand profile image
Info Comment hidden by post author - thread only accessible via permalink
Antony Garand • Edited

Source of the first image in your post: Cloudflare - What is cross-site scripting?, please cite your sources for your media, and get the permission to use them!

Your descriptions are quite wrong as well, a self xss isn't one where you use dev tools to hack yourself, but one where only you are vulnerable to the XSS.

While I appreciate the objective of sharing more security knowledge, please validate your content before submitting it, or you'll risk spreading misinformation!

Collapse
 
amrelmohamady profile image
Amr Elmohamady

Self XSS is when you hack someone's device from his device knowing his password . If I am wrong then what the right? My information is from trusted worldwide resources

Collapse
 
antogarand profile image
Antony Garand

Self XSS is when the only the victim can hack themselves, such as a XSS on their own profiles or reflected XSS which only they can trigger.

While executing alert in your console could technically be classified as a self xss, it's not a vulnerability on the server itself and is usually not worth considering.

Sources:

Thread Thread
 
amrelmohamady profile image
Amr Elmohamady

youtu.be/nTCDQ0UmFgE In the last of the video she explained self XSS which is not considered a type of xss

Thread Thread
 
amrelmohamady profile image
Amr Elmohamady

Also yes it not vulnerable in the server I didn't say that

Thread Thread
 
antogarand profile image
Antony Garand

Youtube video's aren't always right, especially in smaller variants of XSS like Self XSS.

If you look elsewhere for references, especially in bug disclosure and writeup, you'll see my definition used more often than not.

Here is how it can be exploited when chained with other vulnerabilities: medium.com/@Ch3ckM4te/self-xss-to-...

Also, while I strongly disagree with the content of your post as demonstrated in my first comment, hiding the comment locks down the discussion to only us, whereas if left as-is other members of the community could have contributed to the disscussion

Thread Thread
 
amrelmohamady profile image
Amr Elmohamady

Ok I read about self XSS the what's the benefits of it

Some comments have been hidden by the post's author - find out more