How dangerous is XSS? Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) Announcing the arrival of Valued Associate #679: Cesar Manara Unicorn Meta Zoo #1: Why another podcast?What is DOM based XSS? And How to prevent it?Difference in Web Language Compilation and ExecutionIs this reflected or DOM-based XSS?Dangers of XSS on the server-side vs client-sideHow dangerous is reflected request query strings?HOW is the malicious URL/payload is delivered to the user on a DOM based XSS attack?How does CORS prevent XSS?Is echoing GET parameters into a script tag reflected or DOM based XSS?Burpsuite - finding xss vulnerabilities in the vaadin frameworkWhat is client side non-DOM XSS?
How do I stop a creek from eroding my steep embankment?
3 doors, three guards, one stone
Should I call the interviewer directly, if HR aren't responding?
Can inflation occur in a positive-sum game currency system such as the Stack Exchange reputation system?
Is the argument below valid?
Can an alien society believe that their star system is the universe?
How to motivate offshore teams and trust them to deliver?
Is it true that "carbohydrates are of no use for the basal metabolic need"?
Is the Standard Deduction better than Itemized when both are the same amount?
Antler Helmet: Can it work?
When is phishing education going too far?
Why does Python start at index -1 (as opposed to 0) when indexing a list from the end?
What would be the ideal power source for a cybernetic eye?
If 'B is more likely given A', then 'A is more likely given B'
Echoing a tail command produces unexpected output?
Should I discuss the type of campaign with my players?
Does surprise arrest existing movement?
Using et al. for a last / senior author rather than for a first author
How can I fade player character when he goes inside or outside of the area?
How to deal with a team lead who never gives me credit?
What are the possible ways to detect skin while classifying diseases?
Why is "Captain Marvel" translated as male in Portugal?
Were Kohanim forbidden from serving in King David's army?
How widely used is the term Treppenwitz? Is it something that most Germans know?
How dangerous is XSS?
Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)
Announcing the arrival of Valued Associate #679: Cesar Manara
Unicorn Meta Zoo #1: Why another podcast?What is DOM based XSS? And How to prevent it?Difference in Web Language Compilation and ExecutionIs this reflected or DOM-based XSS?Dangers of XSS on the server-side vs client-sideHow dangerous is reflected request query strings?HOW is the malicious URL/payload is delivered to the user on a DOM based XSS attack?How does CORS prevent XSS?Is echoing GET parameters into a script tag reflected or DOM based XSS?Burpsuite - finding xss vulnerabilities in the vaadin frameworkWhat is client side non-DOM XSS?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I am a software engineer and have been watching a lot of videos about XSS.
But I fail to understand how is it dangerous if it runs on the client side and does not execute on the server side which contains the databases, and many important files.
web-application xss vulnerability
add a comment |
I am a software engineer and have been watching a lot of videos about XSS.
But I fail to understand how is it dangerous if it runs on the client side and does not execute on the server side which contains the databases, and many important files.
web-application xss vulnerability
Comments are not for extended discussion; this conversation has been moved to chat.
– Rory Alsop♦
Apr 5 at 8:07
add a comment |
I am a software engineer and have been watching a lot of videos about XSS.
But I fail to understand how is it dangerous if it runs on the client side and does not execute on the server side which contains the databases, and many important files.
web-application xss vulnerability
I am a software engineer and have been watching a lot of videos about XSS.
But I fail to understand how is it dangerous if it runs on the client side and does not execute on the server side which contains the databases, and many important files.
web-application xss vulnerability
web-application xss vulnerability
edited Apr 3 at 12:44
Peter Mortensen
71249
71249
asked Apr 1 at 3:26
Sai KumarSai Kumar
193125
193125
Comments are not for extended discussion; this conversation has been moved to chat.
– Rory Alsop♦
Apr 5 at 8:07
add a comment |
Comments are not for extended discussion; this conversation has been moved to chat.
– Rory Alsop♦
Apr 5 at 8:07
Comments are not for extended discussion; this conversation has been moved to chat.
– Rory Alsop♦
Apr 5 at 8:07
Comments are not for extended discussion; this conversation has been moved to chat.
– Rory Alsop♦
Apr 5 at 8:07
add a comment |
9 Answers
9
active
oldest
votes
Below are the things an attacker can do if there is XSS vulnerability. Content taken from somdev blog
Ad-Jacking - If you manage to get stored XSS on a website, just
inject your ads in it to make money ;)
Click-Jacking - You can create a hidden overlay on a page to hijack clicks of the victim to perform malicious actions.
Session Hijacking - HTTP cookies can be accessed
by JavaScript if the HTTP ONLY flag is not present in the cookies.
Content Spoofing - JavaScript has full access to client side code of
a web app and hence you can use it show/modify desired content.
Credential Harvesting - The most fun part. You can use a fancy popup
to harvest credentials. WiFi firmware has been updated, re-enter your
credentials to authenticate.
Forced Downloads - So the victim isn’t
downloading your malicious flash player from absolutely-safe.com?
Don’t worry, you will have more luck trying to force a download from
the trusted website your victim is visiting.
Crypto Mining - Yes, you
can use the victim’s CPU to mine some bitcoin for you!
Bypassing CSRF
protection - You can make POST requests with JavaScript, you can
collect and submit a CSRF token with JavaScript, what else do you
need?
Keylogging - You know what this is.
Recording Audio - It
requires authorization from the user but you access victim’s
microphone. Thanks to HTML5 and JavaScript.
Taking pictures - It
requires authorization from the user but you access victim’s webcam.
Thanks to HTML5 and JavaScript.
Geo-location - It requires
authorization from the user but you access victim’s Geo-location.
Thanks to HTML5 and JavaScript. Works better with devices with GPS.
Stealing HTML5 web storage data - HTML5 introduced a new feature, web
storage. Now a website can store data in the browser for later use
and of course, JavaScript can access that storage via
window.localStorage() and window.webStorage() Browser & System
Fingerprinting - JavaScript makes it a piece of cake to find your
browser name, version, installed plugins and their versions, your
operating system, architecture, system time, language and screen
resolution.
Network Scanning - Victim’s browser can be abused to scan
ports and hosts with JavaScript.
Crashing Browsers - Yes! You can
crash browser with flooding them with….stuff.
Stealing Information -
Grab information from the webpage and send it to your server. Simple!
Redirecting - You can use javascript to redirect users to a webpage
of your choice.
Tabnapping - Just a fancy version of redirection.
For example, if no keyboard or mouse events have been received for
more than a minute, it could mean that the user is afk and you can
sneakily replace the current webpage with a fake one.
Capturing
Screenshots - Thanks to HTML5 again, now you can take screenshot of a
webpage. Blind XSS detection tools have been doing this before it was
cool.
Perform Actions - You are controlling the browser,
1
So I have one question.. Let's say a web app had an xss vulnerability, and someone had used this to exploit some other user by running some malicious js code. Let's say this code key logs and sends the key strokes to another website by making a request. Now will this malicious js code keep running as long as the browser is open or will it keep running as long as the vulnerable tab within the browser is open?
– Sai Kumar
Apr 1 at 17:08
2
It still depends on how the attacker program's it. basically depending on user events or triggering the code on specific time intervals.
– Goron
Apr 1 at 17:12
12
@SaiKumar In general, an XSS vulnerability can do anything with the client you as a website administrator can do with the client.
– Philipp
Apr 2 at 8:31
2
For the points with "requires authorization" - it must be noted that if the user already gave that permission to the webpage, you have free rein and don't need to ask.
– John Dvorak
Apr 2 at 10:19
2
It's worth mentioning for the entries labeled "it requires authorization from the user" - the user is likely to authorize because it's a site they trust, and the XSS on that site gets it for free if that site is already authorized. Edit: someone else already partly said this, sorry
– thomasrutter
Apr 2 at 23:53
|
show 5 more comments
Maybe a real life example would help to understand how dangerous an apparently minor security flaw, like XSS, can be.
As part of a security assessment my company was tasked with trying to access the CEO personal e-mails.
I managed to get its personal e-mail address through some OSint, now one could go for a spear phishing with a custom version of one of the many info stealer malware but I prolonged the information gathering phase a little longer.
It turned out the CEO loved boats and it was selling one of theirs in a boat-selling site.
The site seems pretty amateur, I registered and fooled around a bit. And what have I found?
The site lets you manage your password prefilling a password field with the current one, spurred on by this I investigate the site a little bit more.
I came across a stored XSS vulnerability: when you answer an offer you can put arbitrary HTML code, including scripting, in it and it will be executed in the reader browser!
Seem pretty "innocuous", doesn't it? What if you combine it with the badly management of the password?
So I crafted a script that fetched the password page (it's an intra-domain request, SOP is satisfied), extracted the password and the client information (UA, OS and similar) and send it to a C&C of mine.
Then instilled a sense of urge to the CEO by carefully writing an e-mail informing them about my "intention" to buy.
After a day I received the password they used to log in the boats site.
As expected it was the same password used for their e-mail (there was no 2FA, I can't remember if it was a thing yet) and I was able to access the webmail (the client information was used to simulate a legitimate access, in case it was necessary to keep a low profile).
Long story short, an attack is not a single atomic step, it's made of little conquers. If you give your adversary room for a step, you'll never know what they can do from there.
An XSS is room for the attacker, as you have seen quite a bit of it.
add a comment |
Attacker-controlled code, which runs within the context of the web application on the client side, has full control over what the client does and can also read the DOM of the HTML page, etc.
This means it can both steal secrets which are inside this page (passwords, etc.) and also do things as logged in client (like buy something, send bomb threats in a mail client, etc.). Note that this kind of activity can often be hidden from the client so that he/she does not realize that he/she is currently attacked.
add a comment |
When XSS was first becoming widely known in the web application
security community, some professional penetration testers were
inclined to regard XSS as a “lame” vulnerability
source: Web Application Hackers Handbook
XSS is a command injection of the client side, like the other user pointed out, it can result in any action that can be performed by the user. Mostly XSS is used for session hijacking where the attacker using javascript makes the victim transmit session cookies to an attacker-controlled server and from there the attacker can perform "session riding".
But XSS can also result in complete application takeover. Consider a scenario in which you inject javascript and it gets stored. The admin then loads that into a web browser (usually logs or CMS). If an XSS is present there you now have the admin session tokens. That is why XSS can be very dangerous.
1
Not just stored XSS but what if you send a malicious URL to the admin? The same threat applies.
– schroeder♦
Apr 1 at 9:38
Absolutely.I didnt write it because i only wanted to add what steffen wrote.
– Vipul Nair
Apr 1 at 18:19
add a comment |
An XSS attack is not a danger to the server. It's a danger to the reason you have a server. Not in a technical sense but very much a human one, as any kind of XSS attack originating from your site usually ends with your reputation down the toilet. A few test cases:
- Someone redirects from your site to a fake login page. Now you have a potential mass security breach of user accounts on your site.
- Someone puts a cryptominer on your site. This will make your visitors' machines work overtime and when spotted, makes you look either grossly greedy and/or grossly incompetent as a sysadmin. Neither of which is a good look.
- Someone redirects traffic from your site to a competitor. I shouldn't have to explain why this is bad.
- Someone puts some javascript in there that makes your site unusable or even crash browsers. Again, should be obvious why this is bad.
- Someone puts DDOS code in your site to try take down your site or a third party. If aimed at you, should be obvious why this is bad. If aimed at someone else and your site is deemed culpable, your hosting provider can cut you off if you do not fix your site for breach of contract.
- Someone replaces your ads with their own. If you rely on ad revenue, they're stealing that revenue.
- Someone uses it to snoop on your users. Hel-lo, breach of GDPR.
add a comment |
Most of the possible consequences of XSS vulnerabilities affect the user, not your server. So if you don't care about your user getting their accounts on your website compromised or your users seeing content on your website which doesn't come from your server, sure, ignore those vulnerabilities.
But if your users have admin rights, then an XSS vulnerability can easily lead to unintentional admin actions. A classic case of that is a log viewer in your admin area which isn't XSS-proof. Some javascript snippets in your access logs might get executed by your admins and perform administrative actions under their account. This is why you sometimes see javascript snippets in the HTTP headers of the bots which try to hack your website.
add a comment |
To give you a real life example where XSS was used to directly take over the server in an incident about 10 years ago (although I have forgotten the name of the (small/unimportant) website and I doubt it exists anymore):
Report to webmaster: "There is XSS vulnerability on your website. You should fix this. How should I send you the details?"
Answer of the wannabe webmaster: "Show me how you would misuse this. My server is super secure! Try it if you want but you will have no chance."
Answer of the reporter: "Then take a look at my profile page on your website."
The webmaster did this and suddenly the whole website was dead. What happened? The reporter used a XSS vulnerability to insert JavaScript code on his profile page.
The JavaScript code (running in the browser and session of the webmaster) sent requests to the server to:
- add a new account with with highest rights (for demonstration purposes)
- to rename PHP-files and SQL-tables on the server (the website had a administration section which allowed this for administration purposes like updates or installing widgets similar to many CMS-systems)
Additional damage could have been done by sending a request to the hosting company to cancel the subscription of the server and of the domain and transfer money from his banking account (provided the webmaster was logged in the hoster/domain registrar/bank and they had no CSRF-protection which wasn't that uncommon 10 years ago).
Also don't forget XSS-worms like the MySpace-worm Samy that spread over all profile pages and might DDOS your server or harm your users.
Thank you. I now clearly understood how can xss be used to break a website. But how do you rename the php files and sql tables on the server? can javascript be used to rename a file sitting on the server? and what if the file was not within the same directory as the webpage? and can we run sql queries using javascript?
– Sai Kumar
Apr 3 at 3:53
The Website had a web administration tool similar to phpMyAdmin which allows editing SQL tables and PHP files with a web gui instead of needing SSH or similar. The JavaScript sent a request similar as the one that tool would do. What files are in danger depends on the capabilities, security and permissions of the administration tool.
– H. Idden
Apr 3 at 7:06
add a comment |
It looks like you're looking for danger to the server (including SQL etc.), not the client, so many dangers don't apply.
But there is a danger to the server from what the client is allowed to do on the server. If the client has permission to change the database, so can an attacker. And the same goes for anything a client has permission to do on the server.
add a comment |
You have from other answers a very good list of technical reasons why XSS is a problem. I will give another perspective.
XSS is a vulnerability which is quite easy to bring into your code, and is discoverable by scanners. This is probably one of the reasons why it is relatively well known to the "general public", including journalists (in the sense of "I heard about that").
If you have one publicly available, it may then be described as
Sai Kumar LLC has an extremely vulnerable site, because it has an XSS.
XSS is a Very Dangerous Vulnerability. Very. It is.
It allows all
your data to be stolen. It does. The͟ ̨da҉t͘a̵ ͢haś ̴al͞r̀ead́y
͠b̷e̷e̶n̨ s͝t͜o̢l͝e͜n. Įt̨ ̷ha̵s.
You can then do all kind of belly dancing explaining that it is not the vulnerability, the erratum will be posted in font 3 pt on page 74, grayed out.
This is why I systematically raise the CVSS of XSS findings on my public web sites (when they are revealed by a pentest, scan or other tests).
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206520%2fhow-dangerous-is-xss%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
9 Answers
9
active
oldest
votes
9 Answers
9
active
oldest
votes
active
oldest
votes
active
oldest
votes
Below are the things an attacker can do if there is XSS vulnerability. Content taken from somdev blog
Ad-Jacking - If you manage to get stored XSS on a website, just
inject your ads in it to make money ;)
Click-Jacking - You can create a hidden overlay on a page to hijack clicks of the victim to perform malicious actions.
Session Hijacking - HTTP cookies can be accessed
by JavaScript if the HTTP ONLY flag is not present in the cookies.
Content Spoofing - JavaScript has full access to client side code of
a web app and hence you can use it show/modify desired content.
Credential Harvesting - The most fun part. You can use a fancy popup
to harvest credentials. WiFi firmware has been updated, re-enter your
credentials to authenticate.
Forced Downloads - So the victim isn’t
downloading your malicious flash player from absolutely-safe.com?
Don’t worry, you will have more luck trying to force a download from
the trusted website your victim is visiting.
Crypto Mining - Yes, you
can use the victim’s CPU to mine some bitcoin for you!
Bypassing CSRF
protection - You can make POST requests with JavaScript, you can
collect and submit a CSRF token with JavaScript, what else do you
need?
Keylogging - You know what this is.
Recording Audio - It
requires authorization from the user but you access victim’s
microphone. Thanks to HTML5 and JavaScript.
Taking pictures - It
requires authorization from the user but you access victim’s webcam.
Thanks to HTML5 and JavaScript.
Geo-location - It requires
authorization from the user but you access victim’s Geo-location.
Thanks to HTML5 and JavaScript. Works better with devices with GPS.
Stealing HTML5 web storage data - HTML5 introduced a new feature, web
storage. Now a website can store data in the browser for later use
and of course, JavaScript can access that storage via
window.localStorage() and window.webStorage() Browser & System
Fingerprinting - JavaScript makes it a piece of cake to find your
browser name, version, installed plugins and their versions, your
operating system, architecture, system time, language and screen
resolution.
Network Scanning - Victim’s browser can be abused to scan
ports and hosts with JavaScript.
Crashing Browsers - Yes! You can
crash browser with flooding them with….stuff.
Stealing Information -
Grab information from the webpage and send it to your server. Simple!
Redirecting - You can use javascript to redirect users to a webpage
of your choice.
Tabnapping - Just a fancy version of redirection.
For example, if no keyboard or mouse events have been received for
more than a minute, it could mean that the user is afk and you can
sneakily replace the current webpage with a fake one.
Capturing
Screenshots - Thanks to HTML5 again, now you can take screenshot of a
webpage. Blind XSS detection tools have been doing this before it was
cool.
Perform Actions - You are controlling the browser,
1
So I have one question.. Let's say a web app had an xss vulnerability, and someone had used this to exploit some other user by running some malicious js code. Let's say this code key logs and sends the key strokes to another website by making a request. Now will this malicious js code keep running as long as the browser is open or will it keep running as long as the vulnerable tab within the browser is open?
– Sai Kumar
Apr 1 at 17:08
2
It still depends on how the attacker program's it. basically depending on user events or triggering the code on specific time intervals.
– Goron
Apr 1 at 17:12
12
@SaiKumar In general, an XSS vulnerability can do anything with the client you as a website administrator can do with the client.
– Philipp
Apr 2 at 8:31
2
For the points with "requires authorization" - it must be noted that if the user already gave that permission to the webpage, you have free rein and don't need to ask.
– John Dvorak
Apr 2 at 10:19
2
It's worth mentioning for the entries labeled "it requires authorization from the user" - the user is likely to authorize because it's a site they trust, and the XSS on that site gets it for free if that site is already authorized. Edit: someone else already partly said this, sorry
– thomasrutter
Apr 2 at 23:53
|
show 5 more comments
Below are the things an attacker can do if there is XSS vulnerability. Content taken from somdev blog
Ad-Jacking - If you manage to get stored XSS on a website, just
inject your ads in it to make money ;)
Click-Jacking - You can create a hidden overlay on a page to hijack clicks of the victim to perform malicious actions.
Session Hijacking - HTTP cookies can be accessed
by JavaScript if the HTTP ONLY flag is not present in the cookies.
Content Spoofing - JavaScript has full access to client side code of
a web app and hence you can use it show/modify desired content.
Credential Harvesting - The most fun part. You can use a fancy popup
to harvest credentials. WiFi firmware has been updated, re-enter your
credentials to authenticate.
Forced Downloads - So the victim isn’t
downloading your malicious flash player from absolutely-safe.com?
Don’t worry, you will have more luck trying to force a download from
the trusted website your victim is visiting.
Crypto Mining - Yes, you
can use the victim’s CPU to mine some bitcoin for you!
Bypassing CSRF
protection - You can make POST requests with JavaScript, you can
collect and submit a CSRF token with JavaScript, what else do you
need?
Keylogging - You know what this is.
Recording Audio - It
requires authorization from the user but you access victim’s
microphone. Thanks to HTML5 and JavaScript.
Taking pictures - It
requires authorization from the user but you access victim’s webcam.
Thanks to HTML5 and JavaScript.
Geo-location - It requires
authorization from the user but you access victim’s Geo-location.
Thanks to HTML5 and JavaScript. Works better with devices with GPS.
Stealing HTML5 web storage data - HTML5 introduced a new feature, web
storage. Now a website can store data in the browser for later use
and of course, JavaScript can access that storage via
window.localStorage() and window.webStorage() Browser & System
Fingerprinting - JavaScript makes it a piece of cake to find your
browser name, version, installed plugins and their versions, your
operating system, architecture, system time, language and screen
resolution.
Network Scanning - Victim’s browser can be abused to scan
ports and hosts with JavaScript.
Crashing Browsers - Yes! You can
crash browser with flooding them with….stuff.
Stealing Information -
Grab information from the webpage and send it to your server. Simple!
Redirecting - You can use javascript to redirect users to a webpage
of your choice.
Tabnapping - Just a fancy version of redirection.
For example, if no keyboard or mouse events have been received for
more than a minute, it could mean that the user is afk and you can
sneakily replace the current webpage with a fake one.
Capturing
Screenshots - Thanks to HTML5 again, now you can take screenshot of a
webpage. Blind XSS detection tools have been doing this before it was
cool.
Perform Actions - You are controlling the browser,
1
So I have one question.. Let's say a web app had an xss vulnerability, and someone had used this to exploit some other user by running some malicious js code. Let's say this code key logs and sends the key strokes to another website by making a request. Now will this malicious js code keep running as long as the browser is open or will it keep running as long as the vulnerable tab within the browser is open?
– Sai Kumar
Apr 1 at 17:08
2
It still depends on how the attacker program's it. basically depending on user events or triggering the code on specific time intervals.
– Goron
Apr 1 at 17:12
12
@SaiKumar In general, an XSS vulnerability can do anything with the client you as a website administrator can do with the client.
– Philipp
Apr 2 at 8:31
2
For the points with "requires authorization" - it must be noted that if the user already gave that permission to the webpage, you have free rein and don't need to ask.
– John Dvorak
Apr 2 at 10:19
2
It's worth mentioning for the entries labeled "it requires authorization from the user" - the user is likely to authorize because it's a site they trust, and the XSS on that site gets it for free if that site is already authorized. Edit: someone else already partly said this, sorry
– thomasrutter
Apr 2 at 23:53
|
show 5 more comments
Below are the things an attacker can do if there is XSS vulnerability. Content taken from somdev blog
Ad-Jacking - If you manage to get stored XSS on a website, just
inject your ads in it to make money ;)
Click-Jacking - You can create a hidden overlay on a page to hijack clicks of the victim to perform malicious actions.
Session Hijacking - HTTP cookies can be accessed
by JavaScript if the HTTP ONLY flag is not present in the cookies.
Content Spoofing - JavaScript has full access to client side code of
a web app and hence you can use it show/modify desired content.
Credential Harvesting - The most fun part. You can use a fancy popup
to harvest credentials. WiFi firmware has been updated, re-enter your
credentials to authenticate.
Forced Downloads - So the victim isn’t
downloading your malicious flash player from absolutely-safe.com?
Don’t worry, you will have more luck trying to force a download from
the trusted website your victim is visiting.
Crypto Mining - Yes, you
can use the victim’s CPU to mine some bitcoin for you!
Bypassing CSRF
protection - You can make POST requests with JavaScript, you can
collect and submit a CSRF token with JavaScript, what else do you
need?
Keylogging - You know what this is.
Recording Audio - It
requires authorization from the user but you access victim’s
microphone. Thanks to HTML5 and JavaScript.
Taking pictures - It
requires authorization from the user but you access victim’s webcam.
Thanks to HTML5 and JavaScript.
Geo-location - It requires
authorization from the user but you access victim’s Geo-location.
Thanks to HTML5 and JavaScript. Works better with devices with GPS.
Stealing HTML5 web storage data - HTML5 introduced a new feature, web
storage. Now a website can store data in the browser for later use
and of course, JavaScript can access that storage via
window.localStorage() and window.webStorage() Browser & System
Fingerprinting - JavaScript makes it a piece of cake to find your
browser name, version, installed plugins and their versions, your
operating system, architecture, system time, language and screen
resolution.
Network Scanning - Victim’s browser can be abused to scan
ports and hosts with JavaScript.
Crashing Browsers - Yes! You can
crash browser with flooding them with….stuff.
Stealing Information -
Grab information from the webpage and send it to your server. Simple!
Redirecting - You can use javascript to redirect users to a webpage
of your choice.
Tabnapping - Just a fancy version of redirection.
For example, if no keyboard or mouse events have been received for
more than a minute, it could mean that the user is afk and you can
sneakily replace the current webpage with a fake one.
Capturing
Screenshots - Thanks to HTML5 again, now you can take screenshot of a
webpage. Blind XSS detection tools have been doing this before it was
cool.
Perform Actions - You are controlling the browser,
Below are the things an attacker can do if there is XSS vulnerability. Content taken from somdev blog
Ad-Jacking - If you manage to get stored XSS on a website, just
inject your ads in it to make money ;)
Click-Jacking - You can create a hidden overlay on a page to hijack clicks of the victim to perform malicious actions.
Session Hijacking - HTTP cookies can be accessed
by JavaScript if the HTTP ONLY flag is not present in the cookies.
Content Spoofing - JavaScript has full access to client side code of
a web app and hence you can use it show/modify desired content.
Credential Harvesting - The most fun part. You can use a fancy popup
to harvest credentials. WiFi firmware has been updated, re-enter your
credentials to authenticate.
Forced Downloads - So the victim isn’t
downloading your malicious flash player from absolutely-safe.com?
Don’t worry, you will have more luck trying to force a download from
the trusted website your victim is visiting.
Crypto Mining - Yes, you
can use the victim’s CPU to mine some bitcoin for you!
Bypassing CSRF
protection - You can make POST requests with JavaScript, you can
collect and submit a CSRF token with JavaScript, what else do you
need?
Keylogging - You know what this is.
Recording Audio - It
requires authorization from the user but you access victim’s
microphone. Thanks to HTML5 and JavaScript.
Taking pictures - It
requires authorization from the user but you access victim’s webcam.
Thanks to HTML5 and JavaScript.
Geo-location - It requires
authorization from the user but you access victim’s Geo-location.
Thanks to HTML5 and JavaScript. Works better with devices with GPS.
Stealing HTML5 web storage data - HTML5 introduced a new feature, web
storage. Now a website can store data in the browser for later use
and of course, JavaScript can access that storage via
window.localStorage() and window.webStorage() Browser & System
Fingerprinting - JavaScript makes it a piece of cake to find your
browser name, version, installed plugins and their versions, your
operating system, architecture, system time, language and screen
resolution.
Network Scanning - Victim’s browser can be abused to scan
ports and hosts with JavaScript.
Crashing Browsers - Yes! You can
crash browser with flooding them with….stuff.
Stealing Information -
Grab information from the webpage and send it to your server. Simple!
Redirecting - You can use javascript to redirect users to a webpage
of your choice.
Tabnapping - Just a fancy version of redirection.
For example, if no keyboard or mouse events have been received for
more than a minute, it could mean that the user is afk and you can
sneakily replace the current webpage with a fake one.
Capturing
Screenshots - Thanks to HTML5 again, now you can take screenshot of a
webpage. Blind XSS detection tools have been doing this before it was
cool.
Perform Actions - You are controlling the browser,
edited Apr 2 at 11:19
Paul D. Waite
1033
1033
answered Apr 1 at 6:04
GoronGoron
830112
830112
1
So I have one question.. Let's say a web app had an xss vulnerability, and someone had used this to exploit some other user by running some malicious js code. Let's say this code key logs and sends the key strokes to another website by making a request. Now will this malicious js code keep running as long as the browser is open or will it keep running as long as the vulnerable tab within the browser is open?
– Sai Kumar
Apr 1 at 17:08
2
It still depends on how the attacker program's it. basically depending on user events or triggering the code on specific time intervals.
– Goron
Apr 1 at 17:12
12
@SaiKumar In general, an XSS vulnerability can do anything with the client you as a website administrator can do with the client.
– Philipp
Apr 2 at 8:31
2
For the points with "requires authorization" - it must be noted that if the user already gave that permission to the webpage, you have free rein and don't need to ask.
– John Dvorak
Apr 2 at 10:19
2
It's worth mentioning for the entries labeled "it requires authorization from the user" - the user is likely to authorize because it's a site they trust, and the XSS on that site gets it for free if that site is already authorized. Edit: someone else already partly said this, sorry
– thomasrutter
Apr 2 at 23:53
|
show 5 more comments
1
So I have one question.. Let's say a web app had an xss vulnerability, and someone had used this to exploit some other user by running some malicious js code. Let's say this code key logs and sends the key strokes to another website by making a request. Now will this malicious js code keep running as long as the browser is open or will it keep running as long as the vulnerable tab within the browser is open?
– Sai Kumar
Apr 1 at 17:08
2
It still depends on how the attacker program's it. basically depending on user events or triggering the code on specific time intervals.
– Goron
Apr 1 at 17:12
12
@SaiKumar In general, an XSS vulnerability can do anything with the client you as a website administrator can do with the client.
– Philipp
Apr 2 at 8:31
2
For the points with "requires authorization" - it must be noted that if the user already gave that permission to the webpage, you have free rein and don't need to ask.
– John Dvorak
Apr 2 at 10:19
2
It's worth mentioning for the entries labeled "it requires authorization from the user" - the user is likely to authorize because it's a site they trust, and the XSS on that site gets it for free if that site is already authorized. Edit: someone else already partly said this, sorry
– thomasrutter
Apr 2 at 23:53
1
1
So I have one question.. Let's say a web app had an xss vulnerability, and someone had used this to exploit some other user by running some malicious js code. Let's say this code key logs and sends the key strokes to another website by making a request. Now will this malicious js code keep running as long as the browser is open or will it keep running as long as the vulnerable tab within the browser is open?
– Sai Kumar
Apr 1 at 17:08
So I have one question.. Let's say a web app had an xss vulnerability, and someone had used this to exploit some other user by running some malicious js code. Let's say this code key logs and sends the key strokes to another website by making a request. Now will this malicious js code keep running as long as the browser is open or will it keep running as long as the vulnerable tab within the browser is open?
– Sai Kumar
Apr 1 at 17:08
2
2
It still depends on how the attacker program's it. basically depending on user events or triggering the code on specific time intervals.
– Goron
Apr 1 at 17:12
It still depends on how the attacker program's it. basically depending on user events or triggering the code on specific time intervals.
– Goron
Apr 1 at 17:12
12
12
@SaiKumar In general, an XSS vulnerability can do anything with the client you as a website administrator can do with the client.
– Philipp
Apr 2 at 8:31
@SaiKumar In general, an XSS vulnerability can do anything with the client you as a website administrator can do with the client.
– Philipp
Apr 2 at 8:31
2
2
For the points with "requires authorization" - it must be noted that if the user already gave that permission to the webpage, you have free rein and don't need to ask.
– John Dvorak
Apr 2 at 10:19
For the points with "requires authorization" - it must be noted that if the user already gave that permission to the webpage, you have free rein and don't need to ask.
– John Dvorak
Apr 2 at 10:19
2
2
It's worth mentioning for the entries labeled "it requires authorization from the user" - the user is likely to authorize because it's a site they trust, and the XSS on that site gets it for free if that site is already authorized. Edit: someone else already partly said this, sorry
– thomasrutter
Apr 2 at 23:53
It's worth mentioning for the entries labeled "it requires authorization from the user" - the user is likely to authorize because it's a site they trust, and the XSS on that site gets it for free if that site is already authorized. Edit: someone else already partly said this, sorry
– thomasrutter
Apr 2 at 23:53
|
show 5 more comments
Maybe a real life example would help to understand how dangerous an apparently minor security flaw, like XSS, can be.
As part of a security assessment my company was tasked with trying to access the CEO personal e-mails.
I managed to get its personal e-mail address through some OSint, now one could go for a spear phishing with a custom version of one of the many info stealer malware but I prolonged the information gathering phase a little longer.
It turned out the CEO loved boats and it was selling one of theirs in a boat-selling site.
The site seems pretty amateur, I registered and fooled around a bit. And what have I found?
The site lets you manage your password prefilling a password field with the current one, spurred on by this I investigate the site a little bit more.
I came across a stored XSS vulnerability: when you answer an offer you can put arbitrary HTML code, including scripting, in it and it will be executed in the reader browser!
Seem pretty "innocuous", doesn't it? What if you combine it with the badly management of the password?
So I crafted a script that fetched the password page (it's an intra-domain request, SOP is satisfied), extracted the password and the client information (UA, OS and similar) and send it to a C&C of mine.
Then instilled a sense of urge to the CEO by carefully writing an e-mail informing them about my "intention" to buy.
After a day I received the password they used to log in the boats site.
As expected it was the same password used for their e-mail (there was no 2FA, I can't remember if it was a thing yet) and I was able to access the webmail (the client information was used to simulate a legitimate access, in case it was necessary to keep a low profile).
Long story short, an attack is not a single atomic step, it's made of little conquers. If you give your adversary room for a step, you'll never know what they can do from there.
An XSS is room for the attacker, as you have seen quite a bit of it.
add a comment |
Maybe a real life example would help to understand how dangerous an apparently minor security flaw, like XSS, can be.
As part of a security assessment my company was tasked with trying to access the CEO personal e-mails.
I managed to get its personal e-mail address through some OSint, now one could go for a spear phishing with a custom version of one of the many info stealer malware but I prolonged the information gathering phase a little longer.
It turned out the CEO loved boats and it was selling one of theirs in a boat-selling site.
The site seems pretty amateur, I registered and fooled around a bit. And what have I found?
The site lets you manage your password prefilling a password field with the current one, spurred on by this I investigate the site a little bit more.
I came across a stored XSS vulnerability: when you answer an offer you can put arbitrary HTML code, including scripting, in it and it will be executed in the reader browser!
Seem pretty "innocuous", doesn't it? What if you combine it with the badly management of the password?
So I crafted a script that fetched the password page (it's an intra-domain request, SOP is satisfied), extracted the password and the client information (UA, OS and similar) and send it to a C&C of mine.
Then instilled a sense of urge to the CEO by carefully writing an e-mail informing them about my "intention" to buy.
After a day I received the password they used to log in the boats site.
As expected it was the same password used for their e-mail (there was no 2FA, I can't remember if it was a thing yet) and I was able to access the webmail (the client information was used to simulate a legitimate access, in case it was necessary to keep a low profile).
Long story short, an attack is not a single atomic step, it's made of little conquers. If you give your adversary room for a step, you'll never know what they can do from there.
An XSS is room for the attacker, as you have seen quite a bit of it.
add a comment |
Maybe a real life example would help to understand how dangerous an apparently minor security flaw, like XSS, can be.
As part of a security assessment my company was tasked with trying to access the CEO personal e-mails.
I managed to get its personal e-mail address through some OSint, now one could go for a spear phishing with a custom version of one of the many info stealer malware but I prolonged the information gathering phase a little longer.
It turned out the CEO loved boats and it was selling one of theirs in a boat-selling site.
The site seems pretty amateur, I registered and fooled around a bit. And what have I found?
The site lets you manage your password prefilling a password field with the current one, spurred on by this I investigate the site a little bit more.
I came across a stored XSS vulnerability: when you answer an offer you can put arbitrary HTML code, including scripting, in it and it will be executed in the reader browser!
Seem pretty "innocuous", doesn't it? What if you combine it with the badly management of the password?
So I crafted a script that fetched the password page (it's an intra-domain request, SOP is satisfied), extracted the password and the client information (UA, OS and similar) and send it to a C&C of mine.
Then instilled a sense of urge to the CEO by carefully writing an e-mail informing them about my "intention" to buy.
After a day I received the password they used to log in the boats site.
As expected it was the same password used for their e-mail (there was no 2FA, I can't remember if it was a thing yet) and I was able to access the webmail (the client information was used to simulate a legitimate access, in case it was necessary to keep a low profile).
Long story short, an attack is not a single atomic step, it's made of little conquers. If you give your adversary room for a step, you'll never know what they can do from there.
An XSS is room for the attacker, as you have seen quite a bit of it.
Maybe a real life example would help to understand how dangerous an apparently minor security flaw, like XSS, can be.
As part of a security assessment my company was tasked with trying to access the CEO personal e-mails.
I managed to get its personal e-mail address through some OSint, now one could go for a spear phishing with a custom version of one of the many info stealer malware but I prolonged the information gathering phase a little longer.
It turned out the CEO loved boats and it was selling one of theirs in a boat-selling site.
The site seems pretty amateur, I registered and fooled around a bit. And what have I found?
The site lets you manage your password prefilling a password field with the current one, spurred on by this I investigate the site a little bit more.
I came across a stored XSS vulnerability: when you answer an offer you can put arbitrary HTML code, including scripting, in it and it will be executed in the reader browser!
Seem pretty "innocuous", doesn't it? What if you combine it with the badly management of the password?
So I crafted a script that fetched the password page (it's an intra-domain request, SOP is satisfied), extracted the password and the client information (UA, OS and similar) and send it to a C&C of mine.
Then instilled a sense of urge to the CEO by carefully writing an e-mail informing them about my "intention" to buy.
After a day I received the password they used to log in the boats site.
As expected it was the same password used for their e-mail (there was no 2FA, I can't remember if it was a thing yet) and I was able to access the webmail (the client information was used to simulate a legitimate access, in case it was necessary to keep a low profile).
Long story short, an attack is not a single atomic step, it's made of little conquers. If you give your adversary room for a step, you'll never know what they can do from there.
An XSS is room for the attacker, as you have seen quite a bit of it.
answered Apr 2 at 7:15
Margaret BloomMargaret Bloom
685510
685510
add a comment |
add a comment |
Attacker-controlled code, which runs within the context of the web application on the client side, has full control over what the client does and can also read the DOM of the HTML page, etc.
This means it can both steal secrets which are inside this page (passwords, etc.) and also do things as logged in client (like buy something, send bomb threats in a mail client, etc.). Note that this kind of activity can often be hidden from the client so that he/she does not realize that he/she is currently attacked.
add a comment |
Attacker-controlled code, which runs within the context of the web application on the client side, has full control over what the client does and can also read the DOM of the HTML page, etc.
This means it can both steal secrets which are inside this page (passwords, etc.) and also do things as logged in client (like buy something, send bomb threats in a mail client, etc.). Note that this kind of activity can often be hidden from the client so that he/she does not realize that he/she is currently attacked.
add a comment |
Attacker-controlled code, which runs within the context of the web application on the client side, has full control over what the client does and can also read the DOM of the HTML page, etc.
This means it can both steal secrets which are inside this page (passwords, etc.) and also do things as logged in client (like buy something, send bomb threats in a mail client, etc.). Note that this kind of activity can often be hidden from the client so that he/she does not realize that he/she is currently attacked.
Attacker-controlled code, which runs within the context of the web application on the client side, has full control over what the client does and can also read the DOM of the HTML page, etc.
This means it can both steal secrets which are inside this page (passwords, etc.) and also do things as logged in client (like buy something, send bomb threats in a mail client, etc.). Note that this kind of activity can often be hidden from the client so that he/she does not realize that he/she is currently attacked.
edited Apr 3 at 12:39
Peter Mortensen
71249
71249
answered Apr 1 at 4:26
Steffen UllrichSteffen Ullrich
121k16209277
121k16209277
add a comment |
add a comment |
When XSS was first becoming widely known in the web application
security community, some professional penetration testers were
inclined to regard XSS as a “lame” vulnerability
source: Web Application Hackers Handbook
XSS is a command injection of the client side, like the other user pointed out, it can result in any action that can be performed by the user. Mostly XSS is used for session hijacking where the attacker using javascript makes the victim transmit session cookies to an attacker-controlled server and from there the attacker can perform "session riding".
But XSS can also result in complete application takeover. Consider a scenario in which you inject javascript and it gets stored. The admin then loads that into a web browser (usually logs or CMS). If an XSS is present there you now have the admin session tokens. That is why XSS can be very dangerous.
1
Not just stored XSS but what if you send a malicious URL to the admin? The same threat applies.
– schroeder♦
Apr 1 at 9:38
Absolutely.I didnt write it because i only wanted to add what steffen wrote.
– Vipul Nair
Apr 1 at 18:19
add a comment |
When XSS was first becoming widely known in the web application
security community, some professional penetration testers were
inclined to regard XSS as a “lame” vulnerability
source: Web Application Hackers Handbook
XSS is a command injection of the client side, like the other user pointed out, it can result in any action that can be performed by the user. Mostly XSS is used for session hijacking where the attacker using javascript makes the victim transmit session cookies to an attacker-controlled server and from there the attacker can perform "session riding".
But XSS can also result in complete application takeover. Consider a scenario in which you inject javascript and it gets stored. The admin then loads that into a web browser (usually logs or CMS). If an XSS is present there you now have the admin session tokens. That is why XSS can be very dangerous.
1
Not just stored XSS but what if you send a malicious URL to the admin? The same threat applies.
– schroeder♦
Apr 1 at 9:38
Absolutely.I didnt write it because i only wanted to add what steffen wrote.
– Vipul Nair
Apr 1 at 18:19
add a comment |
When XSS was first becoming widely known in the web application
security community, some professional penetration testers were
inclined to regard XSS as a “lame” vulnerability
source: Web Application Hackers Handbook
XSS is a command injection of the client side, like the other user pointed out, it can result in any action that can be performed by the user. Mostly XSS is used for session hijacking where the attacker using javascript makes the victim transmit session cookies to an attacker-controlled server and from there the attacker can perform "session riding".
But XSS can also result in complete application takeover. Consider a scenario in which you inject javascript and it gets stored. The admin then loads that into a web browser (usually logs or CMS). If an XSS is present there you now have the admin session tokens. That is why XSS can be very dangerous.
When XSS was first becoming widely known in the web application
security community, some professional penetration testers were
inclined to regard XSS as a “lame” vulnerability
source: Web Application Hackers Handbook
XSS is a command injection of the client side, like the other user pointed out, it can result in any action that can be performed by the user. Mostly XSS is used for session hijacking where the attacker using javascript makes the victim transmit session cookies to an attacker-controlled server and from there the attacker can perform "session riding".
But XSS can also result in complete application takeover. Consider a scenario in which you inject javascript and it gets stored. The admin then loads that into a web browser (usually logs or CMS). If an XSS is present there you now have the admin session tokens. That is why XSS can be very dangerous.
edited Apr 1 at 9:38
schroeder♦
79.3k30176213
79.3k30176213
answered Apr 1 at 5:54
Vipul NairVipul Nair
308114
308114
1
Not just stored XSS but what if you send a malicious URL to the admin? The same threat applies.
– schroeder♦
Apr 1 at 9:38
Absolutely.I didnt write it because i only wanted to add what steffen wrote.
– Vipul Nair
Apr 1 at 18:19
add a comment |
1
Not just stored XSS but what if you send a malicious URL to the admin? The same threat applies.
– schroeder♦
Apr 1 at 9:38
Absolutely.I didnt write it because i only wanted to add what steffen wrote.
– Vipul Nair
Apr 1 at 18:19
1
1
Not just stored XSS but what if you send a malicious URL to the admin? The same threat applies.
– schroeder♦
Apr 1 at 9:38
Not just stored XSS but what if you send a malicious URL to the admin? The same threat applies.
– schroeder♦
Apr 1 at 9:38
Absolutely.I didnt write it because i only wanted to add what steffen wrote.
– Vipul Nair
Apr 1 at 18:19
Absolutely.I didnt write it because i only wanted to add what steffen wrote.
– Vipul Nair
Apr 1 at 18:19
add a comment |
An XSS attack is not a danger to the server. It's a danger to the reason you have a server. Not in a technical sense but very much a human one, as any kind of XSS attack originating from your site usually ends with your reputation down the toilet. A few test cases:
- Someone redirects from your site to a fake login page. Now you have a potential mass security breach of user accounts on your site.
- Someone puts a cryptominer on your site. This will make your visitors' machines work overtime and when spotted, makes you look either grossly greedy and/or grossly incompetent as a sysadmin. Neither of which is a good look.
- Someone redirects traffic from your site to a competitor. I shouldn't have to explain why this is bad.
- Someone puts some javascript in there that makes your site unusable or even crash browsers. Again, should be obvious why this is bad.
- Someone puts DDOS code in your site to try take down your site or a third party. If aimed at you, should be obvious why this is bad. If aimed at someone else and your site is deemed culpable, your hosting provider can cut you off if you do not fix your site for breach of contract.
- Someone replaces your ads with their own. If you rely on ad revenue, they're stealing that revenue.
- Someone uses it to snoop on your users. Hel-lo, breach of GDPR.
add a comment |
An XSS attack is not a danger to the server. It's a danger to the reason you have a server. Not in a technical sense but very much a human one, as any kind of XSS attack originating from your site usually ends with your reputation down the toilet. A few test cases:
- Someone redirects from your site to a fake login page. Now you have a potential mass security breach of user accounts on your site.
- Someone puts a cryptominer on your site. This will make your visitors' machines work overtime and when spotted, makes you look either grossly greedy and/or grossly incompetent as a sysadmin. Neither of which is a good look.
- Someone redirects traffic from your site to a competitor. I shouldn't have to explain why this is bad.
- Someone puts some javascript in there that makes your site unusable or even crash browsers. Again, should be obvious why this is bad.
- Someone puts DDOS code in your site to try take down your site or a third party. If aimed at you, should be obvious why this is bad. If aimed at someone else and your site is deemed culpable, your hosting provider can cut you off if you do not fix your site for breach of contract.
- Someone replaces your ads with their own. If you rely on ad revenue, they're stealing that revenue.
- Someone uses it to snoop on your users. Hel-lo, breach of GDPR.
add a comment |
An XSS attack is not a danger to the server. It's a danger to the reason you have a server. Not in a technical sense but very much a human one, as any kind of XSS attack originating from your site usually ends with your reputation down the toilet. A few test cases:
- Someone redirects from your site to a fake login page. Now you have a potential mass security breach of user accounts on your site.
- Someone puts a cryptominer on your site. This will make your visitors' machines work overtime and when spotted, makes you look either grossly greedy and/or grossly incompetent as a sysadmin. Neither of which is a good look.
- Someone redirects traffic from your site to a competitor. I shouldn't have to explain why this is bad.
- Someone puts some javascript in there that makes your site unusable or even crash browsers. Again, should be obvious why this is bad.
- Someone puts DDOS code in your site to try take down your site or a third party. If aimed at you, should be obvious why this is bad. If aimed at someone else and your site is deemed culpable, your hosting provider can cut you off if you do not fix your site for breach of contract.
- Someone replaces your ads with their own. If you rely on ad revenue, they're stealing that revenue.
- Someone uses it to snoop on your users. Hel-lo, breach of GDPR.
An XSS attack is not a danger to the server. It's a danger to the reason you have a server. Not in a technical sense but very much a human one, as any kind of XSS attack originating from your site usually ends with your reputation down the toilet. A few test cases:
- Someone redirects from your site to a fake login page. Now you have a potential mass security breach of user accounts on your site.
- Someone puts a cryptominer on your site. This will make your visitors' machines work overtime and when spotted, makes you look either grossly greedy and/or grossly incompetent as a sysadmin. Neither of which is a good look.
- Someone redirects traffic from your site to a competitor. I shouldn't have to explain why this is bad.
- Someone puts some javascript in there that makes your site unusable or even crash browsers. Again, should be obvious why this is bad.
- Someone puts DDOS code in your site to try take down your site or a third party. If aimed at you, should be obvious why this is bad. If aimed at someone else and your site is deemed culpable, your hosting provider can cut you off if you do not fix your site for breach of contract.
- Someone replaces your ads with their own. If you rely on ad revenue, they're stealing that revenue.
- Someone uses it to snoop on your users. Hel-lo, breach of GDPR.
answered Apr 1 at 16:09
520520
51524
51524
add a comment |
add a comment |
Most of the possible consequences of XSS vulnerabilities affect the user, not your server. So if you don't care about your user getting their accounts on your website compromised or your users seeing content on your website which doesn't come from your server, sure, ignore those vulnerabilities.
But if your users have admin rights, then an XSS vulnerability can easily lead to unintentional admin actions. A classic case of that is a log viewer in your admin area which isn't XSS-proof. Some javascript snippets in your access logs might get executed by your admins and perform administrative actions under their account. This is why you sometimes see javascript snippets in the HTTP headers of the bots which try to hack your website.
add a comment |
Most of the possible consequences of XSS vulnerabilities affect the user, not your server. So if you don't care about your user getting their accounts on your website compromised or your users seeing content on your website which doesn't come from your server, sure, ignore those vulnerabilities.
But if your users have admin rights, then an XSS vulnerability can easily lead to unintentional admin actions. A classic case of that is a log viewer in your admin area which isn't XSS-proof. Some javascript snippets in your access logs might get executed by your admins and perform administrative actions under their account. This is why you sometimes see javascript snippets in the HTTP headers of the bots which try to hack your website.
add a comment |
Most of the possible consequences of XSS vulnerabilities affect the user, not your server. So if you don't care about your user getting their accounts on your website compromised or your users seeing content on your website which doesn't come from your server, sure, ignore those vulnerabilities.
But if your users have admin rights, then an XSS vulnerability can easily lead to unintentional admin actions. A classic case of that is a log viewer in your admin area which isn't XSS-proof. Some javascript snippets in your access logs might get executed by your admins and perform administrative actions under their account. This is why you sometimes see javascript snippets in the HTTP headers of the bots which try to hack your website.
Most of the possible consequences of XSS vulnerabilities affect the user, not your server. So if you don't care about your user getting their accounts on your website compromised or your users seeing content on your website which doesn't come from your server, sure, ignore those vulnerabilities.
But if your users have admin rights, then an XSS vulnerability can easily lead to unintentional admin actions. A classic case of that is a log viewer in your admin area which isn't XSS-proof. Some javascript snippets in your access logs might get executed by your admins and perform administrative actions under their account. This is why you sometimes see javascript snippets in the HTTP headers of the bots which try to hack your website.
answered Apr 1 at 15:30
PhilippPhilipp
45.3k8116142
45.3k8116142
add a comment |
add a comment |
To give you a real life example where XSS was used to directly take over the server in an incident about 10 years ago (although I have forgotten the name of the (small/unimportant) website and I doubt it exists anymore):
Report to webmaster: "There is XSS vulnerability on your website. You should fix this. How should I send you the details?"
Answer of the wannabe webmaster: "Show me how you would misuse this. My server is super secure! Try it if you want but you will have no chance."
Answer of the reporter: "Then take a look at my profile page on your website."
The webmaster did this and suddenly the whole website was dead. What happened? The reporter used a XSS vulnerability to insert JavaScript code on his profile page.
The JavaScript code (running in the browser and session of the webmaster) sent requests to the server to:
- add a new account with with highest rights (for demonstration purposes)
- to rename PHP-files and SQL-tables on the server (the website had a administration section which allowed this for administration purposes like updates or installing widgets similar to many CMS-systems)
Additional damage could have been done by sending a request to the hosting company to cancel the subscription of the server and of the domain and transfer money from his banking account (provided the webmaster was logged in the hoster/domain registrar/bank and they had no CSRF-protection which wasn't that uncommon 10 years ago).
Also don't forget XSS-worms like the MySpace-worm Samy that spread over all profile pages and might DDOS your server or harm your users.
Thank you. I now clearly understood how can xss be used to break a website. But how do you rename the php files and sql tables on the server? can javascript be used to rename a file sitting on the server? and what if the file was not within the same directory as the webpage? and can we run sql queries using javascript?
– Sai Kumar
Apr 3 at 3:53
The Website had a web administration tool similar to phpMyAdmin which allows editing SQL tables and PHP files with a web gui instead of needing SSH or similar. The JavaScript sent a request similar as the one that tool would do. What files are in danger depends on the capabilities, security and permissions of the administration tool.
– H. Idden
Apr 3 at 7:06
add a comment |
To give you a real life example where XSS was used to directly take over the server in an incident about 10 years ago (although I have forgotten the name of the (small/unimportant) website and I doubt it exists anymore):
Report to webmaster: "There is XSS vulnerability on your website. You should fix this. How should I send you the details?"
Answer of the wannabe webmaster: "Show me how you would misuse this. My server is super secure! Try it if you want but you will have no chance."
Answer of the reporter: "Then take a look at my profile page on your website."
The webmaster did this and suddenly the whole website was dead. What happened? The reporter used a XSS vulnerability to insert JavaScript code on his profile page.
The JavaScript code (running in the browser and session of the webmaster) sent requests to the server to:
- add a new account with with highest rights (for demonstration purposes)
- to rename PHP-files and SQL-tables on the server (the website had a administration section which allowed this for administration purposes like updates or installing widgets similar to many CMS-systems)
Additional damage could have been done by sending a request to the hosting company to cancel the subscription of the server and of the domain and transfer money from his banking account (provided the webmaster was logged in the hoster/domain registrar/bank and they had no CSRF-protection which wasn't that uncommon 10 years ago).
Also don't forget XSS-worms like the MySpace-worm Samy that spread over all profile pages and might DDOS your server or harm your users.
Thank you. I now clearly understood how can xss be used to break a website. But how do you rename the php files and sql tables on the server? can javascript be used to rename a file sitting on the server? and what if the file was not within the same directory as the webpage? and can we run sql queries using javascript?
– Sai Kumar
Apr 3 at 3:53
The Website had a web administration tool similar to phpMyAdmin which allows editing SQL tables and PHP files with a web gui instead of needing SSH or similar. The JavaScript sent a request similar as the one that tool would do. What files are in danger depends on the capabilities, security and permissions of the administration tool.
– H. Idden
Apr 3 at 7:06
add a comment |
To give you a real life example where XSS was used to directly take over the server in an incident about 10 years ago (although I have forgotten the name of the (small/unimportant) website and I doubt it exists anymore):
Report to webmaster: "There is XSS vulnerability on your website. You should fix this. How should I send you the details?"
Answer of the wannabe webmaster: "Show me how you would misuse this. My server is super secure! Try it if you want but you will have no chance."
Answer of the reporter: "Then take a look at my profile page on your website."
The webmaster did this and suddenly the whole website was dead. What happened? The reporter used a XSS vulnerability to insert JavaScript code on his profile page.
The JavaScript code (running in the browser and session of the webmaster) sent requests to the server to:
- add a new account with with highest rights (for demonstration purposes)
- to rename PHP-files and SQL-tables on the server (the website had a administration section which allowed this for administration purposes like updates or installing widgets similar to many CMS-systems)
Additional damage could have been done by sending a request to the hosting company to cancel the subscription of the server and of the domain and transfer money from his banking account (provided the webmaster was logged in the hoster/domain registrar/bank and they had no CSRF-protection which wasn't that uncommon 10 years ago).
Also don't forget XSS-worms like the MySpace-worm Samy that spread over all profile pages and might DDOS your server or harm your users.
To give you a real life example where XSS was used to directly take over the server in an incident about 10 years ago (although I have forgotten the name of the (small/unimportant) website and I doubt it exists anymore):
Report to webmaster: "There is XSS vulnerability on your website. You should fix this. How should I send you the details?"
Answer of the wannabe webmaster: "Show me how you would misuse this. My server is super secure! Try it if you want but you will have no chance."
Answer of the reporter: "Then take a look at my profile page on your website."
The webmaster did this and suddenly the whole website was dead. What happened? The reporter used a XSS vulnerability to insert JavaScript code on his profile page.
The JavaScript code (running in the browser and session of the webmaster) sent requests to the server to:
- add a new account with with highest rights (for demonstration purposes)
- to rename PHP-files and SQL-tables on the server (the website had a administration section which allowed this for administration purposes like updates or installing widgets similar to many CMS-systems)
Additional damage could have been done by sending a request to the hosting company to cancel the subscription of the server and of the domain and transfer money from his banking account (provided the webmaster was logged in the hoster/domain registrar/bank and they had no CSRF-protection which wasn't that uncommon 10 years ago).
Also don't forget XSS-worms like the MySpace-worm Samy that spread over all profile pages and might DDOS your server or harm your users.
answered Apr 2 at 21:24
H. IddenH. Idden
2,7841715
2,7841715
Thank you. I now clearly understood how can xss be used to break a website. But how do you rename the php files and sql tables on the server? can javascript be used to rename a file sitting on the server? and what if the file was not within the same directory as the webpage? and can we run sql queries using javascript?
– Sai Kumar
Apr 3 at 3:53
The Website had a web administration tool similar to phpMyAdmin which allows editing SQL tables and PHP files with a web gui instead of needing SSH or similar. The JavaScript sent a request similar as the one that tool would do. What files are in danger depends on the capabilities, security and permissions of the administration tool.
– H. Idden
Apr 3 at 7:06
add a comment |
Thank you. I now clearly understood how can xss be used to break a website. But how do you rename the php files and sql tables on the server? can javascript be used to rename a file sitting on the server? and what if the file was not within the same directory as the webpage? and can we run sql queries using javascript?
– Sai Kumar
Apr 3 at 3:53
The Website had a web administration tool similar to phpMyAdmin which allows editing SQL tables and PHP files with a web gui instead of needing SSH or similar. The JavaScript sent a request similar as the one that tool would do. What files are in danger depends on the capabilities, security and permissions of the administration tool.
– H. Idden
Apr 3 at 7:06
Thank you. I now clearly understood how can xss be used to break a website. But how do you rename the php files and sql tables on the server? can javascript be used to rename a file sitting on the server? and what if the file was not within the same directory as the webpage? and can we run sql queries using javascript?
– Sai Kumar
Apr 3 at 3:53
Thank you. I now clearly understood how can xss be used to break a website. But how do you rename the php files and sql tables on the server? can javascript be used to rename a file sitting on the server? and what if the file was not within the same directory as the webpage? and can we run sql queries using javascript?
– Sai Kumar
Apr 3 at 3:53
The Website had a web administration tool similar to phpMyAdmin which allows editing SQL tables and PHP files with a web gui instead of needing SSH or similar. The JavaScript sent a request similar as the one that tool would do. What files are in danger depends on the capabilities, security and permissions of the administration tool.
– H. Idden
Apr 3 at 7:06
The Website had a web administration tool similar to phpMyAdmin which allows editing SQL tables and PHP files with a web gui instead of needing SSH or similar. The JavaScript sent a request similar as the one that tool would do. What files are in danger depends on the capabilities, security and permissions of the administration tool.
– H. Idden
Apr 3 at 7:06
add a comment |
It looks like you're looking for danger to the server (including SQL etc.), not the client, so many dangers don't apply.
But there is a danger to the server from what the client is allowed to do on the server. If the client has permission to change the database, so can an attacker. And the same goes for anything a client has permission to do on the server.
add a comment |
It looks like you're looking for danger to the server (including SQL etc.), not the client, so many dangers don't apply.
But there is a danger to the server from what the client is allowed to do on the server. If the client has permission to change the database, so can an attacker. And the same goes for anything a client has permission to do on the server.
add a comment |
It looks like you're looking for danger to the server (including SQL etc.), not the client, so many dangers don't apply.
But there is a danger to the server from what the client is allowed to do on the server. If the client has permission to change the database, so can an attacker. And the same goes for anything a client has permission to do on the server.
It looks like you're looking for danger to the server (including SQL etc.), not the client, so many dangers don't apply.
But there is a danger to the server from what the client is allowed to do on the server. If the client has permission to change the database, so can an attacker. And the same goes for anything a client has permission to do on the server.
edited Apr 1 at 9:49
answered Apr 1 at 8:06
User42User42
1974
1974
add a comment |
add a comment |
You have from other answers a very good list of technical reasons why XSS is a problem. I will give another perspective.
XSS is a vulnerability which is quite easy to bring into your code, and is discoverable by scanners. This is probably one of the reasons why it is relatively well known to the "general public", including journalists (in the sense of "I heard about that").
If you have one publicly available, it may then be described as
Sai Kumar LLC has an extremely vulnerable site, because it has an XSS.
XSS is a Very Dangerous Vulnerability. Very. It is.
It allows all
your data to be stolen. It does. The͟ ̨da҉t͘a̵ ͢haś ̴al͞r̀ead́y
͠b̷e̷e̶n̨ s͝t͜o̢l͝e͜n. Įt̨ ̷ha̵s.
You can then do all kind of belly dancing explaining that it is not the vulnerability, the erratum will be posted in font 3 pt on page 74, grayed out.
This is why I systematically raise the CVSS of XSS findings on my public web sites (when they are revealed by a pentest, scan or other tests).
add a comment |
You have from other answers a very good list of technical reasons why XSS is a problem. I will give another perspective.
XSS is a vulnerability which is quite easy to bring into your code, and is discoverable by scanners. This is probably one of the reasons why it is relatively well known to the "general public", including journalists (in the sense of "I heard about that").
If you have one publicly available, it may then be described as
Sai Kumar LLC has an extremely vulnerable site, because it has an XSS.
XSS is a Very Dangerous Vulnerability. Very. It is.
It allows all
your data to be stolen. It does. The͟ ̨da҉t͘a̵ ͢haś ̴al͞r̀ead́y
͠b̷e̷e̶n̨ s͝t͜o̢l͝e͜n. Įt̨ ̷ha̵s.
You can then do all kind of belly dancing explaining that it is not the vulnerability, the erratum will be posted in font 3 pt on page 74, grayed out.
This is why I systematically raise the CVSS of XSS findings on my public web sites (when they are revealed by a pentest, scan or other tests).
add a comment |
You have from other answers a very good list of technical reasons why XSS is a problem. I will give another perspective.
XSS is a vulnerability which is quite easy to bring into your code, and is discoverable by scanners. This is probably one of the reasons why it is relatively well known to the "general public", including journalists (in the sense of "I heard about that").
If you have one publicly available, it may then be described as
Sai Kumar LLC has an extremely vulnerable site, because it has an XSS.
XSS is a Very Dangerous Vulnerability. Very. It is.
It allows all
your data to be stolen. It does. The͟ ̨da҉t͘a̵ ͢haś ̴al͞r̀ead́y
͠b̷e̷e̶n̨ s͝t͜o̢l͝e͜n. Įt̨ ̷ha̵s.
You can then do all kind of belly dancing explaining that it is not the vulnerability, the erratum will be posted in font 3 pt on page 74, grayed out.
This is why I systematically raise the CVSS of XSS findings on my public web sites (when they are revealed by a pentest, scan or other tests).
You have from other answers a very good list of technical reasons why XSS is a problem. I will give another perspective.
XSS is a vulnerability which is quite easy to bring into your code, and is discoverable by scanners. This is probably one of the reasons why it is relatively well known to the "general public", including journalists (in the sense of "I heard about that").
If you have one publicly available, it may then be described as
Sai Kumar LLC has an extremely vulnerable site, because it has an XSS.
XSS is a Very Dangerous Vulnerability. Very. It is.
It allows all
your data to be stolen. It does. The͟ ̨da҉t͘a̵ ͢haś ̴al͞r̀ead́y
͠b̷e̷e̶n̨ s͝t͜o̢l͝e͜n. Įt̨ ̷ha̵s.
You can then do all kind of belly dancing explaining that it is not the vulnerability, the erratum will be posted in font 3 pt on page 74, grayed out.
This is why I systematically raise the CVSS of XSS findings on my public web sites (when they are revealed by a pentest, scan or other tests).
answered Apr 3 at 14:55
WoJWoJ
7,22312544
7,22312544
add a comment |
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206520%2fhow-dangerous-is-xss%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Comments are not for extended discussion; this conversation has been moved to chat.
– Rory Alsop♦
Apr 5 at 8:07