How dangerous is XSS? Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) Announcing the arrival of Valued Associate #679: Cesar Manara Unicorn Meta Zoo #1: Why another podcast?What is DOM based XSS? And How to prevent it?Difference in Web Language Compilation and ExecutionIs this reflected or DOM-based XSS?Dangers of XSS on the server-side vs client-sideHow dangerous is reflected request query strings?HOW is the malicious URL/payload is delivered to the user on a DOM based XSS attack?How does CORS prevent XSS?Is echoing GET parameters into a script tag reflected or DOM based XSS?Burpsuite - finding xss vulnerabilities in the vaadin frameworkWhat is client side non-DOM XSS?

How do I stop a creek from eroding my steep embankment?

3 doors, three guards, one stone

Should I call the interviewer directly, if HR aren't responding?

Can inflation occur in a positive-sum game currency system such as the Stack Exchange reputation system?

Is the argument below valid?

Can an alien society believe that their star system is the universe?

How to motivate offshore teams and trust them to deliver?

Is it true that "carbohydrates are of no use for the basal metabolic need"?

Is the Standard Deduction better than Itemized when both are the same amount?

Antler Helmet: Can it work?

When is phishing education going too far?

Why does Python start at index -1 (as opposed to 0) when indexing a list from the end?

What would be the ideal power source for a cybernetic eye?

If 'B is more likely given A', then 'A is more likely given B'

Echoing a tail command produces unexpected output?

Should I discuss the type of campaign with my players?

Does surprise arrest existing movement?

Using et al. for a last / senior author rather than for a first author

How can I fade player character when he goes inside or outside of the area?

How to deal with a team lead who never gives me credit?

What are the possible ways to detect skin while classifying diseases?

Why is "Captain Marvel" translated as male in Portugal?

Were Kohanim forbidden from serving in King David's army?

How widely used is the term Treppenwitz? Is it something that most Germans know?



How dangerous is XSS?



Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)
Announcing the arrival of Valued Associate #679: Cesar Manara
Unicorn Meta Zoo #1: Why another podcast?What is DOM based XSS? And How to prevent it?Difference in Web Language Compilation and ExecutionIs this reflected or DOM-based XSS?Dangers of XSS on the server-side vs client-sideHow dangerous is reflected request query strings?HOW is the malicious URL/payload is delivered to the user on a DOM based XSS attack?How does CORS prevent XSS?Is echoing GET parameters into a script tag reflected or DOM based XSS?Burpsuite - finding xss vulnerabilities in the vaadin frameworkWhat is client side non-DOM XSS?



.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








36















I am a software engineer and have been watching a lot of videos about XSS.



But I fail to understand how is it dangerous if it runs on the client side and does not execute on the server side which contains the databases, and many important files.










share|improve this question
























  • Comments are not for extended discussion; this conversation has been moved to chat.

    – Rory Alsop
    Apr 5 at 8:07

















36















I am a software engineer and have been watching a lot of videos about XSS.



But I fail to understand how is it dangerous if it runs on the client side and does not execute on the server side which contains the databases, and many important files.










share|improve this question
























  • Comments are not for extended discussion; this conversation has been moved to chat.

    – Rory Alsop
    Apr 5 at 8:07













36












36








36


24






I am a software engineer and have been watching a lot of videos about XSS.



But I fail to understand how is it dangerous if it runs on the client side and does not execute on the server side which contains the databases, and many important files.










share|improve this question
















I am a software engineer and have been watching a lot of videos about XSS.



But I fail to understand how is it dangerous if it runs on the client side and does not execute on the server side which contains the databases, and many important files.







web-application xss vulnerability






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Apr 3 at 12:44









Peter Mortensen

71249




71249










asked Apr 1 at 3:26









Sai KumarSai Kumar

193125




193125












  • Comments are not for extended discussion; this conversation has been moved to chat.

    – Rory Alsop
    Apr 5 at 8:07

















  • Comments are not for extended discussion; this conversation has been moved to chat.

    – Rory Alsop
    Apr 5 at 8:07
















Comments are not for extended discussion; this conversation has been moved to chat.

– Rory Alsop
Apr 5 at 8:07





Comments are not for extended discussion; this conversation has been moved to chat.

– Rory Alsop
Apr 5 at 8:07










9 Answers
9






active

oldest

votes


















91














Below are the things an attacker can do if there is XSS vulnerability. Content taken from somdev blog





  • Ad-Jacking - If you manage to get stored XSS on a website, just
    inject your ads in it to make money ;)


  • Click-Jacking - You can create a hidden overlay on a page to hijack clicks of the victim to perform malicious actions.

  • Session Hijacking - HTTP cookies can be accessed
    by JavaScript if the HTTP ONLY flag is not present in the cookies.


  • Content Spoofing - JavaScript has full access to client side code of
    a web app and hence you can use it show/modify desired content.


  • Credential Harvesting - The most fun part. You can use a fancy popup
    to harvest credentials. WiFi firmware has been updated, re-enter your
    credentials to authenticate.


  • Forced Downloads - So the victim isn’t
    downloading your malicious flash player from absolutely-safe.com?
    Don’t worry, you will have more luck trying to force a download from
    the trusted website your victim is visiting.


  • Crypto Mining - Yes, you
    can use the victim’s CPU to mine some bitcoin for you!


  • Bypassing CSRF
    protection - You can make POST requests with JavaScript, you can
    collect and submit a CSRF token with JavaScript, what else do you
    need?


  • Keylogging - You know what this is.


  • Recording Audio - It
    requires authorization from the user but you access victim’s
    microphone. Thanks to HTML5 and JavaScript.


  • Taking pictures - It
    requires authorization from the user but you access victim’s webcam.
    Thanks to HTML5 and JavaScript.


  • Geo-location - It requires
    authorization from the user but you access victim’s Geo-location.
    Thanks to HTML5 and JavaScript. Works better with devices with GPS.


  • Stealing HTML5 web storage data - HTML5 introduced a new feature, web
    storage. Now a website can store data in the browser for later use
    and of course, JavaScript can access that storage via
    window.localStorage() and window.webStorage() Browser & System


  • Fingerprinting - JavaScript makes it a piece of cake to find your
    browser name, version, installed plugins and their versions, your
    operating system, architecture, system time, language and screen
    resolution.


  • Network Scanning - Victim’s browser can be abused to scan
    ports and hosts with JavaScript.


  • Crashing Browsers - Yes! You can
    crash browser with flooding them with….stuff.


  • Stealing Information -
    Grab information from the webpage and send it to your server. Simple!


  • Redirecting - You can use javascript to redirect users to a webpage
    of your choice.


  • Tabnapping - Just a fancy version of redirection.
    For example, if no keyboard or mouse events have been received for
    more than a minute, it could mean that the user is afk and you can
    sneakily replace the current webpage with a fake one.


  • Capturing
    Screenshots - Thanks to HTML5 again, now you can take screenshot of a
    webpage. Blind XSS detection tools have been doing this before it was
    cool.


  • Perform Actions - You are controlling the browser,







share|improve this answer




















  • 1





    So I have one question.. Let's say a web app had an xss vulnerability, and someone had used this to exploit some other user by running some malicious js code. Let's say this code key logs and sends the key strokes to another website by making a request. Now will this malicious js code keep running as long as the browser is open or will it keep running as long as the vulnerable tab within the browser is open?

    – Sai Kumar
    Apr 1 at 17:08







  • 2





    It still depends on how the attacker program's it. basically depending on user events or triggering the code on specific time intervals.

    – Goron
    Apr 1 at 17:12






  • 12





    @SaiKumar In general, an XSS vulnerability can do anything with the client you as a website administrator can do with the client.

    – Philipp
    Apr 2 at 8:31






  • 2





    For the points with "requires authorization" - it must be noted that if the user already gave that permission to the webpage, you have free rein and don't need to ask.

    – John Dvorak
    Apr 2 at 10:19






  • 2





    It's worth mentioning for the entries labeled "it requires authorization from the user" - the user is likely to authorize because it's a site they trust, and the XSS on that site gets it for free if that site is already authorized. Edit: someone else already partly said this, sorry

    – thomasrutter
    Apr 2 at 23:53



















32














Maybe a real life example would help to understand how dangerous an apparently minor security flaw, like XSS, can be.



As part of a security assessment my company was tasked with trying to access the CEO personal e-mails.

I managed to get its personal e-mail address through some OSint, now one could go for a spear phishing with a custom version of one of the many info stealer malware but I prolonged the information gathering phase a little longer.



It turned out the CEO loved boats and it was selling one of theirs in a boat-selling site.

The site seems pretty amateur, I registered and fooled around a bit. And what have I found?

The site lets you manage your password prefilling a password field with the current one, spurred on by this I investigate the site a little bit more.

I came across a stored XSS vulnerability: when you answer an offer you can put arbitrary HTML code, including scripting, in it and it will be executed in the reader browser!



Seem pretty "innocuous", doesn't it? What if you combine it with the badly management of the password?



So I crafted a script that fetched the password page (it's an intra-domain request, SOP is satisfied), extracted the password and the client information (UA, OS and similar) and send it to a C&C of mine.

Then instilled a sense of urge to the CEO by carefully writing an e-mail informing them about my "intention" to buy.



After a day I received the password they used to log in the boats site.

As expected it was the same password used for their e-mail (there was no 2FA, I can't remember if it was a thing yet) and I was able to access the webmail (the client information was used to simulate a legitimate access, in case it was necessary to keep a low profile).



Long story short, an attack is not a single atomic step, it's made of little conquers. If you give your adversary room for a step, you'll never know what they can do from there.
An XSS is room for the attacker, as you have seen quite a bit of it.






share|improve this answer






























    23














    Attacker-controlled code, which runs within the context of the web application on the client side, has full control over what the client does and can also read the DOM of the HTML page, etc.



    This means it can both steal secrets which are inside this page (passwords, etc.) and also do things as logged in client (like buy something, send bomb threats in a mail client, etc.). Note that this kind of activity can often be hidden from the client so that he/she does not realize that he/she is currently attacked.






    share|improve this answer
































      10















      When XSS was first becoming widely known in the web application
      security community, some professional penetration testers were
      inclined to regard XSS as a “lame” vulnerability




      source: Web Application Hackers Handbook



      XSS is a command injection of the client side, like the other user pointed out, it can result in any action that can be performed by the user. Mostly XSS is used for session hijacking where the attacker using javascript makes the victim transmit session cookies to an attacker-controlled server and from there the attacker can perform "session riding".



      But XSS can also result in complete application takeover. Consider a scenario in which you inject javascript and it gets stored. The admin then loads that into a web browser (usually logs or CMS). If an XSS is present there you now have the admin session tokens. That is why XSS can be very dangerous.






      share|improve this answer




















      • 1





        Not just stored XSS but what if you send a malicious URL to the admin? The same threat applies.

        – schroeder
        Apr 1 at 9:38











      • Absolutely.I didnt write it because i only wanted to add what steffen wrote.

        – Vipul Nair
        Apr 1 at 18:19


















      9














      An XSS attack is not a danger to the server. It's a danger to the reason you have a server. Not in a technical sense but very much a human one, as any kind of XSS attack originating from your site usually ends with your reputation down the toilet. A few test cases:



      • Someone redirects from your site to a fake login page. Now you have a potential mass security breach of user accounts on your site.

      • Someone puts a cryptominer on your site. This will make your visitors' machines work overtime and when spotted, makes you look either grossly greedy and/or grossly incompetent as a sysadmin. Neither of which is a good look.

      • Someone redirects traffic from your site to a competitor. I shouldn't have to explain why this is bad.

      • Someone puts some javascript in there that makes your site unusable or even crash browsers. Again, should be obvious why this is bad.

      • Someone puts DDOS code in your site to try take down your site or a third party. If aimed at you, should be obvious why this is bad. If aimed at someone else and your site is deemed culpable, your hosting provider can cut you off if you do not fix your site for breach of contract.

      • Someone replaces your ads with their own. If you rely on ad revenue, they're stealing that revenue.

      • Someone uses it to snoop on your users. Hel-lo, breach of GDPR.





      share|improve this answer






























        7














        Most of the possible consequences of XSS vulnerabilities affect the user, not your server. So if you don't care about your user getting their accounts on your website compromised or your users seeing content on your website which doesn't come from your server, sure, ignore those vulnerabilities.



        But if your users have admin rights, then an XSS vulnerability can easily lead to unintentional admin actions. A classic case of that is a log viewer in your admin area which isn't XSS-proof. Some javascript snippets in your access logs might get executed by your admins and perform administrative actions under their account. This is why you sometimes see javascript snippets in the HTTP headers of the bots which try to hack your website.






        share|improve this answer






























          4














          To give you a real life example where XSS was used to directly take over the server in an incident about 10 years ago (although I have forgotten the name of the (small/unimportant) website and I doubt it exists anymore):



          Report to webmaster: "There is XSS vulnerability on your website. You should fix this. How should I send you the details?"



          Answer of the wannabe webmaster: "Show me how you would misuse this. My server is super secure! Try it if you want but you will have no chance."



          Answer of the reporter: "Then take a look at my profile page on your website."



          The webmaster did this and suddenly the whole website was dead. What happened? The reporter used a XSS vulnerability to insert JavaScript code on his profile page.



          The JavaScript code (running in the browser and session of the webmaster) sent requests to the server to:



          1. add a new account with with highest rights (for demonstration purposes)

          2. to rename PHP-files and SQL-tables on the server (the website had a administration section which allowed this for administration purposes like updates or installing widgets similar to many CMS-systems)

          Additional damage could have been done by sending a request to the hosting company to cancel the subscription of the server and of the domain and transfer money from his banking account (provided the webmaster was logged in the hoster/domain registrar/bank and they had no CSRF-protection which wasn't that uncommon 10 years ago).



          Also don't forget XSS-worms like the MySpace-worm Samy that spread over all profile pages and might DDOS your server or harm your users.






          share|improve this answer























          • Thank you. I now clearly understood how can xss be used to break a website. But how do you rename the php files and sql tables on the server? can javascript be used to rename a file sitting on the server? and what if the file was not within the same directory as the webpage? and can we run sql queries using javascript?

            – Sai Kumar
            Apr 3 at 3:53












          • The Website had a web administration tool similar to phpMyAdmin which allows editing SQL tables and PHP files with a web gui instead of needing SSH or similar. The JavaScript sent a request similar as the one that tool would do. What files are in danger depends on the capabilities, security and permissions of the administration tool.

            – H. Idden
            Apr 3 at 7:06


















          2














          It looks like you're looking for danger to the server (including SQL etc.), not the client, so many dangers don't apply.



          But there is a danger to the server from what the client is allowed to do on the server. If the client has permission to change the database, so can an attacker. And the same goes for anything a client has permission to do on the server.






          share|improve this answer
































            0














            You have from other answers a very good list of technical reasons why XSS is a problem. I will give another perspective.



            XSS is a vulnerability which is quite easy to bring into your code, and is discoverable by scanners. This is probably one of the reasons why it is relatively well known to the "general public", including journalists (in the sense of "I heard about that").



            If you have one publicly available, it may then be described as




            Sai Kumar LLC has an extremely vulnerable site, because it has an XSS.
            XSS is a Very Dangerous Vulnerability. Very. It is.



            It allows all
            your data to be stolen. It does. The͟ ̨da҉t͘a̵ ͢haś ̴al͞r̀ead́y
            ͠b̷e̷e̶n̨ s͝t͜o̢l͝e͜n. Įt̨ ̷ha̵s.




            You can then do all kind of belly dancing explaining that it is not the vulnerability, the erratum will be posted in font 3 pt on page 74, grayed out.



            This is why I systematically raise the CVSS of XSS findings on my public web sites (when they are revealed by a pentest, scan or other tests).






            share|improve this answer























              Your Answer








              StackExchange.ready(function()
              var channelOptions =
              tags: "".split(" "),
              id: "162"
              ;
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function()
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled)
              StackExchange.using("snippets", function()
              createEditor();
              );

              else
              createEditor();

              );

              function createEditor()
              StackExchange.prepareEditor(
              heartbeatType: 'answer',
              autoActivateHeartbeat: false,
              convertImagesToLinks: false,
              noModals: true,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: null,
              bindNavPrevention: true,
              postfix: "",
              imageUploader:
              brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
              contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
              allowUrls: true
              ,
              noCode: true, onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              );



              );













              draft saved

              draft discarded


















              StackExchange.ready(
              function ()
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206520%2fhow-dangerous-is-xss%23new-answer', 'question_page');

              );

              Post as a guest















              Required, but never shown

























              9 Answers
              9






              active

              oldest

              votes








              9 Answers
              9






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes









              91














              Below are the things an attacker can do if there is XSS vulnerability. Content taken from somdev blog





              • Ad-Jacking - If you manage to get stored XSS on a website, just
                inject your ads in it to make money ;)


              • Click-Jacking - You can create a hidden overlay on a page to hijack clicks of the victim to perform malicious actions.

              • Session Hijacking - HTTP cookies can be accessed
                by JavaScript if the HTTP ONLY flag is not present in the cookies.


              • Content Spoofing - JavaScript has full access to client side code of
                a web app and hence you can use it show/modify desired content.


              • Credential Harvesting - The most fun part. You can use a fancy popup
                to harvest credentials. WiFi firmware has been updated, re-enter your
                credentials to authenticate.


              • Forced Downloads - So the victim isn’t
                downloading your malicious flash player from absolutely-safe.com?
                Don’t worry, you will have more luck trying to force a download from
                the trusted website your victim is visiting.


              • Crypto Mining - Yes, you
                can use the victim’s CPU to mine some bitcoin for you!


              • Bypassing CSRF
                protection - You can make POST requests with JavaScript, you can
                collect and submit a CSRF token with JavaScript, what else do you
                need?


              • Keylogging - You know what this is.


              • Recording Audio - It
                requires authorization from the user but you access victim’s
                microphone. Thanks to HTML5 and JavaScript.


              • Taking pictures - It
                requires authorization from the user but you access victim’s webcam.
                Thanks to HTML5 and JavaScript.


              • Geo-location - It requires
                authorization from the user but you access victim’s Geo-location.
                Thanks to HTML5 and JavaScript. Works better with devices with GPS.


              • Stealing HTML5 web storage data - HTML5 introduced a new feature, web
                storage. Now a website can store data in the browser for later use
                and of course, JavaScript can access that storage via
                window.localStorage() and window.webStorage() Browser & System


              • Fingerprinting - JavaScript makes it a piece of cake to find your
                browser name, version, installed plugins and their versions, your
                operating system, architecture, system time, language and screen
                resolution.


              • Network Scanning - Victim’s browser can be abused to scan
                ports and hosts with JavaScript.


              • Crashing Browsers - Yes! You can
                crash browser with flooding them with….stuff.


              • Stealing Information -
                Grab information from the webpage and send it to your server. Simple!


              • Redirecting - You can use javascript to redirect users to a webpage
                of your choice.


              • Tabnapping - Just a fancy version of redirection.
                For example, if no keyboard or mouse events have been received for
                more than a minute, it could mean that the user is afk and you can
                sneakily replace the current webpage with a fake one.


              • Capturing
                Screenshots - Thanks to HTML5 again, now you can take screenshot of a
                webpage. Blind XSS detection tools have been doing this before it was
                cool.


              • Perform Actions - You are controlling the browser,







              share|improve this answer




















              • 1





                So I have one question.. Let's say a web app had an xss vulnerability, and someone had used this to exploit some other user by running some malicious js code. Let's say this code key logs and sends the key strokes to another website by making a request. Now will this malicious js code keep running as long as the browser is open or will it keep running as long as the vulnerable tab within the browser is open?

                – Sai Kumar
                Apr 1 at 17:08







              • 2





                It still depends on how the attacker program's it. basically depending on user events or triggering the code on specific time intervals.

                – Goron
                Apr 1 at 17:12






              • 12





                @SaiKumar In general, an XSS vulnerability can do anything with the client you as a website administrator can do with the client.

                – Philipp
                Apr 2 at 8:31






              • 2





                For the points with "requires authorization" - it must be noted that if the user already gave that permission to the webpage, you have free rein and don't need to ask.

                – John Dvorak
                Apr 2 at 10:19






              • 2





                It's worth mentioning for the entries labeled "it requires authorization from the user" - the user is likely to authorize because it's a site they trust, and the XSS on that site gets it for free if that site is already authorized. Edit: someone else already partly said this, sorry

                – thomasrutter
                Apr 2 at 23:53
















              91














              Below are the things an attacker can do if there is XSS vulnerability. Content taken from somdev blog





              • Ad-Jacking - If you manage to get stored XSS on a website, just
                inject your ads in it to make money ;)


              • Click-Jacking - You can create a hidden overlay on a page to hijack clicks of the victim to perform malicious actions.

              • Session Hijacking - HTTP cookies can be accessed
                by JavaScript if the HTTP ONLY flag is not present in the cookies.


              • Content Spoofing - JavaScript has full access to client side code of
                a web app and hence you can use it show/modify desired content.


              • Credential Harvesting - The most fun part. You can use a fancy popup
                to harvest credentials. WiFi firmware has been updated, re-enter your
                credentials to authenticate.


              • Forced Downloads - So the victim isn’t
                downloading your malicious flash player from absolutely-safe.com?
                Don’t worry, you will have more luck trying to force a download from
                the trusted website your victim is visiting.


              • Crypto Mining - Yes, you
                can use the victim’s CPU to mine some bitcoin for you!


              • Bypassing CSRF
                protection - You can make POST requests with JavaScript, you can
                collect and submit a CSRF token with JavaScript, what else do you
                need?


              • Keylogging - You know what this is.


              • Recording Audio - It
                requires authorization from the user but you access victim’s
                microphone. Thanks to HTML5 and JavaScript.


              • Taking pictures - It
                requires authorization from the user but you access victim’s webcam.
                Thanks to HTML5 and JavaScript.


              • Geo-location - It requires
                authorization from the user but you access victim’s Geo-location.
                Thanks to HTML5 and JavaScript. Works better with devices with GPS.


              • Stealing HTML5 web storage data - HTML5 introduced a new feature, web
                storage. Now a website can store data in the browser for later use
                and of course, JavaScript can access that storage via
                window.localStorage() and window.webStorage() Browser & System


              • Fingerprinting - JavaScript makes it a piece of cake to find your
                browser name, version, installed plugins and their versions, your
                operating system, architecture, system time, language and screen
                resolution.


              • Network Scanning - Victim’s browser can be abused to scan
                ports and hosts with JavaScript.


              • Crashing Browsers - Yes! You can
                crash browser with flooding them with….stuff.


              • Stealing Information -
                Grab information from the webpage and send it to your server. Simple!


              • Redirecting - You can use javascript to redirect users to a webpage
                of your choice.


              • Tabnapping - Just a fancy version of redirection.
                For example, if no keyboard or mouse events have been received for
                more than a minute, it could mean that the user is afk and you can
                sneakily replace the current webpage with a fake one.


              • Capturing
                Screenshots - Thanks to HTML5 again, now you can take screenshot of a
                webpage. Blind XSS detection tools have been doing this before it was
                cool.


              • Perform Actions - You are controlling the browser,







              share|improve this answer




















              • 1





                So I have one question.. Let's say a web app had an xss vulnerability, and someone had used this to exploit some other user by running some malicious js code. Let's say this code key logs and sends the key strokes to another website by making a request. Now will this malicious js code keep running as long as the browser is open or will it keep running as long as the vulnerable tab within the browser is open?

                – Sai Kumar
                Apr 1 at 17:08







              • 2





                It still depends on how the attacker program's it. basically depending on user events or triggering the code on specific time intervals.

                – Goron
                Apr 1 at 17:12






              • 12





                @SaiKumar In general, an XSS vulnerability can do anything with the client you as a website administrator can do with the client.

                – Philipp
                Apr 2 at 8:31






              • 2





                For the points with "requires authorization" - it must be noted that if the user already gave that permission to the webpage, you have free rein and don't need to ask.

                – John Dvorak
                Apr 2 at 10:19






              • 2





                It's worth mentioning for the entries labeled "it requires authorization from the user" - the user is likely to authorize because it's a site they trust, and the XSS on that site gets it for free if that site is already authorized. Edit: someone else already partly said this, sorry

                – thomasrutter
                Apr 2 at 23:53














              91












              91








              91







              Below are the things an attacker can do if there is XSS vulnerability. Content taken from somdev blog





              • Ad-Jacking - If you manage to get stored XSS on a website, just
                inject your ads in it to make money ;)


              • Click-Jacking - You can create a hidden overlay on a page to hijack clicks of the victim to perform malicious actions.

              • Session Hijacking - HTTP cookies can be accessed
                by JavaScript if the HTTP ONLY flag is not present in the cookies.


              • Content Spoofing - JavaScript has full access to client side code of
                a web app and hence you can use it show/modify desired content.


              • Credential Harvesting - The most fun part. You can use a fancy popup
                to harvest credentials. WiFi firmware has been updated, re-enter your
                credentials to authenticate.


              • Forced Downloads - So the victim isn’t
                downloading your malicious flash player from absolutely-safe.com?
                Don’t worry, you will have more luck trying to force a download from
                the trusted website your victim is visiting.


              • Crypto Mining - Yes, you
                can use the victim’s CPU to mine some bitcoin for you!


              • Bypassing CSRF
                protection - You can make POST requests with JavaScript, you can
                collect and submit a CSRF token with JavaScript, what else do you
                need?


              • Keylogging - You know what this is.


              • Recording Audio - It
                requires authorization from the user but you access victim’s
                microphone. Thanks to HTML5 and JavaScript.


              • Taking pictures - It
                requires authorization from the user but you access victim’s webcam.
                Thanks to HTML5 and JavaScript.


              • Geo-location - It requires
                authorization from the user but you access victim’s Geo-location.
                Thanks to HTML5 and JavaScript. Works better with devices with GPS.


              • Stealing HTML5 web storage data - HTML5 introduced a new feature, web
                storage. Now a website can store data in the browser for later use
                and of course, JavaScript can access that storage via
                window.localStorage() and window.webStorage() Browser & System


              • Fingerprinting - JavaScript makes it a piece of cake to find your
                browser name, version, installed plugins and their versions, your
                operating system, architecture, system time, language and screen
                resolution.


              • Network Scanning - Victim’s browser can be abused to scan
                ports and hosts with JavaScript.


              • Crashing Browsers - Yes! You can
                crash browser with flooding them with….stuff.


              • Stealing Information -
                Grab information from the webpage and send it to your server. Simple!


              • Redirecting - You can use javascript to redirect users to a webpage
                of your choice.


              • Tabnapping - Just a fancy version of redirection.
                For example, if no keyboard or mouse events have been received for
                more than a minute, it could mean that the user is afk and you can
                sneakily replace the current webpage with a fake one.


              • Capturing
                Screenshots - Thanks to HTML5 again, now you can take screenshot of a
                webpage. Blind XSS detection tools have been doing this before it was
                cool.


              • Perform Actions - You are controlling the browser,







              share|improve this answer















              Below are the things an attacker can do if there is XSS vulnerability. Content taken from somdev blog





              • Ad-Jacking - If you manage to get stored XSS on a website, just
                inject your ads in it to make money ;)


              • Click-Jacking - You can create a hidden overlay on a page to hijack clicks of the victim to perform malicious actions.

              • Session Hijacking - HTTP cookies can be accessed
                by JavaScript if the HTTP ONLY flag is not present in the cookies.


              • Content Spoofing - JavaScript has full access to client side code of
                a web app and hence you can use it show/modify desired content.


              • Credential Harvesting - The most fun part. You can use a fancy popup
                to harvest credentials. WiFi firmware has been updated, re-enter your
                credentials to authenticate.


              • Forced Downloads - So the victim isn’t
                downloading your malicious flash player from absolutely-safe.com?
                Don’t worry, you will have more luck trying to force a download from
                the trusted website your victim is visiting.


              • Crypto Mining - Yes, you
                can use the victim’s CPU to mine some bitcoin for you!


              • Bypassing CSRF
                protection - You can make POST requests with JavaScript, you can
                collect and submit a CSRF token with JavaScript, what else do you
                need?


              • Keylogging - You know what this is.


              • Recording Audio - It
                requires authorization from the user but you access victim’s
                microphone. Thanks to HTML5 and JavaScript.


              • Taking pictures - It
                requires authorization from the user but you access victim’s webcam.
                Thanks to HTML5 and JavaScript.


              • Geo-location - It requires
                authorization from the user but you access victim’s Geo-location.
                Thanks to HTML5 and JavaScript. Works better with devices with GPS.


              • Stealing HTML5 web storage data - HTML5 introduced a new feature, web
                storage. Now a website can store data in the browser for later use
                and of course, JavaScript can access that storage via
                window.localStorage() and window.webStorage() Browser & System


              • Fingerprinting - JavaScript makes it a piece of cake to find your
                browser name, version, installed plugins and their versions, your
                operating system, architecture, system time, language and screen
                resolution.


              • Network Scanning - Victim’s browser can be abused to scan
                ports and hosts with JavaScript.


              • Crashing Browsers - Yes! You can
                crash browser with flooding them with….stuff.


              • Stealing Information -
                Grab information from the webpage and send it to your server. Simple!


              • Redirecting - You can use javascript to redirect users to a webpage
                of your choice.


              • Tabnapping - Just a fancy version of redirection.
                For example, if no keyboard or mouse events have been received for
                more than a minute, it could mean that the user is afk and you can
                sneakily replace the current webpage with a fake one.


              • Capturing
                Screenshots - Thanks to HTML5 again, now you can take screenshot of a
                webpage. Blind XSS detection tools have been doing this before it was
                cool.


              • Perform Actions - You are controlling the browser,








              share|improve this answer














              share|improve this answer



              share|improve this answer








              edited Apr 2 at 11:19









              Paul D. Waite

              1033




              1033










              answered Apr 1 at 6:04









              GoronGoron

              830112




              830112







              • 1





                So I have one question.. Let's say a web app had an xss vulnerability, and someone had used this to exploit some other user by running some malicious js code. Let's say this code key logs and sends the key strokes to another website by making a request. Now will this malicious js code keep running as long as the browser is open or will it keep running as long as the vulnerable tab within the browser is open?

                – Sai Kumar
                Apr 1 at 17:08







              • 2





                It still depends on how the attacker program's it. basically depending on user events or triggering the code on specific time intervals.

                – Goron
                Apr 1 at 17:12






              • 12





                @SaiKumar In general, an XSS vulnerability can do anything with the client you as a website administrator can do with the client.

                – Philipp
                Apr 2 at 8:31






              • 2





                For the points with "requires authorization" - it must be noted that if the user already gave that permission to the webpage, you have free rein and don't need to ask.

                – John Dvorak
                Apr 2 at 10:19






              • 2





                It's worth mentioning for the entries labeled "it requires authorization from the user" - the user is likely to authorize because it's a site they trust, and the XSS on that site gets it for free if that site is already authorized. Edit: someone else already partly said this, sorry

                – thomasrutter
                Apr 2 at 23:53













              • 1





                So I have one question.. Let's say a web app had an xss vulnerability, and someone had used this to exploit some other user by running some malicious js code. Let's say this code key logs and sends the key strokes to another website by making a request. Now will this malicious js code keep running as long as the browser is open or will it keep running as long as the vulnerable tab within the browser is open?

                – Sai Kumar
                Apr 1 at 17:08







              • 2





                It still depends on how the attacker program's it. basically depending on user events or triggering the code on specific time intervals.

                – Goron
                Apr 1 at 17:12






              • 12





                @SaiKumar In general, an XSS vulnerability can do anything with the client you as a website administrator can do with the client.

                – Philipp
                Apr 2 at 8:31






              • 2





                For the points with "requires authorization" - it must be noted that if the user already gave that permission to the webpage, you have free rein and don't need to ask.

                – John Dvorak
                Apr 2 at 10:19






              • 2





                It's worth mentioning for the entries labeled "it requires authorization from the user" - the user is likely to authorize because it's a site they trust, and the XSS on that site gets it for free if that site is already authorized. Edit: someone else already partly said this, sorry

                – thomasrutter
                Apr 2 at 23:53








              1




              1





              So I have one question.. Let's say a web app had an xss vulnerability, and someone had used this to exploit some other user by running some malicious js code. Let's say this code key logs and sends the key strokes to another website by making a request. Now will this malicious js code keep running as long as the browser is open or will it keep running as long as the vulnerable tab within the browser is open?

              – Sai Kumar
              Apr 1 at 17:08






              So I have one question.. Let's say a web app had an xss vulnerability, and someone had used this to exploit some other user by running some malicious js code. Let's say this code key logs and sends the key strokes to another website by making a request. Now will this malicious js code keep running as long as the browser is open or will it keep running as long as the vulnerable tab within the browser is open?

              – Sai Kumar
              Apr 1 at 17:08





              2




              2





              It still depends on how the attacker program's it. basically depending on user events or triggering the code on specific time intervals.

              – Goron
              Apr 1 at 17:12





              It still depends on how the attacker program's it. basically depending on user events or triggering the code on specific time intervals.

              – Goron
              Apr 1 at 17:12




              12




              12





              @SaiKumar In general, an XSS vulnerability can do anything with the client you as a website administrator can do with the client.

              – Philipp
              Apr 2 at 8:31





              @SaiKumar In general, an XSS vulnerability can do anything with the client you as a website administrator can do with the client.

              – Philipp
              Apr 2 at 8:31




              2




              2





              For the points with "requires authorization" - it must be noted that if the user already gave that permission to the webpage, you have free rein and don't need to ask.

              – John Dvorak
              Apr 2 at 10:19





              For the points with "requires authorization" - it must be noted that if the user already gave that permission to the webpage, you have free rein and don't need to ask.

              – John Dvorak
              Apr 2 at 10:19




              2




              2





              It's worth mentioning for the entries labeled "it requires authorization from the user" - the user is likely to authorize because it's a site they trust, and the XSS on that site gets it for free if that site is already authorized. Edit: someone else already partly said this, sorry

              – thomasrutter
              Apr 2 at 23:53






              It's worth mentioning for the entries labeled "it requires authorization from the user" - the user is likely to authorize because it's a site they trust, and the XSS on that site gets it for free if that site is already authorized. Edit: someone else already partly said this, sorry

              – thomasrutter
              Apr 2 at 23:53














              32














              Maybe a real life example would help to understand how dangerous an apparently minor security flaw, like XSS, can be.



              As part of a security assessment my company was tasked with trying to access the CEO personal e-mails.

              I managed to get its personal e-mail address through some OSint, now one could go for a spear phishing with a custom version of one of the many info stealer malware but I prolonged the information gathering phase a little longer.



              It turned out the CEO loved boats and it was selling one of theirs in a boat-selling site.

              The site seems pretty amateur, I registered and fooled around a bit. And what have I found?

              The site lets you manage your password prefilling a password field with the current one, spurred on by this I investigate the site a little bit more.

              I came across a stored XSS vulnerability: when you answer an offer you can put arbitrary HTML code, including scripting, in it and it will be executed in the reader browser!



              Seem pretty "innocuous", doesn't it? What if you combine it with the badly management of the password?



              So I crafted a script that fetched the password page (it's an intra-domain request, SOP is satisfied), extracted the password and the client information (UA, OS and similar) and send it to a C&C of mine.

              Then instilled a sense of urge to the CEO by carefully writing an e-mail informing them about my "intention" to buy.



              After a day I received the password they used to log in the boats site.

              As expected it was the same password used for their e-mail (there was no 2FA, I can't remember if it was a thing yet) and I was able to access the webmail (the client information was used to simulate a legitimate access, in case it was necessary to keep a low profile).



              Long story short, an attack is not a single atomic step, it's made of little conquers. If you give your adversary room for a step, you'll never know what they can do from there.
              An XSS is room for the attacker, as you have seen quite a bit of it.






              share|improve this answer



























                32














                Maybe a real life example would help to understand how dangerous an apparently minor security flaw, like XSS, can be.



                As part of a security assessment my company was tasked with trying to access the CEO personal e-mails.

                I managed to get its personal e-mail address through some OSint, now one could go for a spear phishing with a custom version of one of the many info stealer malware but I prolonged the information gathering phase a little longer.



                It turned out the CEO loved boats and it was selling one of theirs in a boat-selling site.

                The site seems pretty amateur, I registered and fooled around a bit. And what have I found?

                The site lets you manage your password prefilling a password field with the current one, spurred on by this I investigate the site a little bit more.

                I came across a stored XSS vulnerability: when you answer an offer you can put arbitrary HTML code, including scripting, in it and it will be executed in the reader browser!



                Seem pretty "innocuous", doesn't it? What if you combine it with the badly management of the password?



                So I crafted a script that fetched the password page (it's an intra-domain request, SOP is satisfied), extracted the password and the client information (UA, OS and similar) and send it to a C&C of mine.

                Then instilled a sense of urge to the CEO by carefully writing an e-mail informing them about my "intention" to buy.



                After a day I received the password they used to log in the boats site.

                As expected it was the same password used for their e-mail (there was no 2FA, I can't remember if it was a thing yet) and I was able to access the webmail (the client information was used to simulate a legitimate access, in case it was necessary to keep a low profile).



                Long story short, an attack is not a single atomic step, it's made of little conquers. If you give your adversary room for a step, you'll never know what they can do from there.
                An XSS is room for the attacker, as you have seen quite a bit of it.






                share|improve this answer

























                  32












                  32








                  32







                  Maybe a real life example would help to understand how dangerous an apparently minor security flaw, like XSS, can be.



                  As part of a security assessment my company was tasked with trying to access the CEO personal e-mails.

                  I managed to get its personal e-mail address through some OSint, now one could go for a spear phishing with a custom version of one of the many info stealer malware but I prolonged the information gathering phase a little longer.



                  It turned out the CEO loved boats and it was selling one of theirs in a boat-selling site.

                  The site seems pretty amateur, I registered and fooled around a bit. And what have I found?

                  The site lets you manage your password prefilling a password field with the current one, spurred on by this I investigate the site a little bit more.

                  I came across a stored XSS vulnerability: when you answer an offer you can put arbitrary HTML code, including scripting, in it and it will be executed in the reader browser!



                  Seem pretty "innocuous", doesn't it? What if you combine it with the badly management of the password?



                  So I crafted a script that fetched the password page (it's an intra-domain request, SOP is satisfied), extracted the password and the client information (UA, OS and similar) and send it to a C&C of mine.

                  Then instilled a sense of urge to the CEO by carefully writing an e-mail informing them about my "intention" to buy.



                  After a day I received the password they used to log in the boats site.

                  As expected it was the same password used for their e-mail (there was no 2FA, I can't remember if it was a thing yet) and I was able to access the webmail (the client information was used to simulate a legitimate access, in case it was necessary to keep a low profile).



                  Long story short, an attack is not a single atomic step, it's made of little conquers. If you give your adversary room for a step, you'll never know what they can do from there.
                  An XSS is room for the attacker, as you have seen quite a bit of it.






                  share|improve this answer













                  Maybe a real life example would help to understand how dangerous an apparently minor security flaw, like XSS, can be.



                  As part of a security assessment my company was tasked with trying to access the CEO personal e-mails.

                  I managed to get its personal e-mail address through some OSint, now one could go for a spear phishing with a custom version of one of the many info stealer malware but I prolonged the information gathering phase a little longer.



                  It turned out the CEO loved boats and it was selling one of theirs in a boat-selling site.

                  The site seems pretty amateur, I registered and fooled around a bit. And what have I found?

                  The site lets you manage your password prefilling a password field with the current one, spurred on by this I investigate the site a little bit more.

                  I came across a stored XSS vulnerability: when you answer an offer you can put arbitrary HTML code, including scripting, in it and it will be executed in the reader browser!



                  Seem pretty "innocuous", doesn't it? What if you combine it with the badly management of the password?



                  So I crafted a script that fetched the password page (it's an intra-domain request, SOP is satisfied), extracted the password and the client information (UA, OS and similar) and send it to a C&C of mine.

                  Then instilled a sense of urge to the CEO by carefully writing an e-mail informing them about my "intention" to buy.



                  After a day I received the password they used to log in the boats site.

                  As expected it was the same password used for their e-mail (there was no 2FA, I can't remember if it was a thing yet) and I was able to access the webmail (the client information was used to simulate a legitimate access, in case it was necessary to keep a low profile).



                  Long story short, an attack is not a single atomic step, it's made of little conquers. If you give your adversary room for a step, you'll never know what they can do from there.
                  An XSS is room for the attacker, as you have seen quite a bit of it.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Apr 2 at 7:15









                  Margaret BloomMargaret Bloom

                  685510




                  685510





















                      23














                      Attacker-controlled code, which runs within the context of the web application on the client side, has full control over what the client does and can also read the DOM of the HTML page, etc.



                      This means it can both steal secrets which are inside this page (passwords, etc.) and also do things as logged in client (like buy something, send bomb threats in a mail client, etc.). Note that this kind of activity can often be hidden from the client so that he/she does not realize that he/she is currently attacked.






                      share|improve this answer





























                        23














                        Attacker-controlled code, which runs within the context of the web application on the client side, has full control over what the client does and can also read the DOM of the HTML page, etc.



                        This means it can both steal secrets which are inside this page (passwords, etc.) and also do things as logged in client (like buy something, send bomb threats in a mail client, etc.). Note that this kind of activity can often be hidden from the client so that he/she does not realize that he/she is currently attacked.






                        share|improve this answer



























                          23












                          23








                          23







                          Attacker-controlled code, which runs within the context of the web application on the client side, has full control over what the client does and can also read the DOM of the HTML page, etc.



                          This means it can both steal secrets which are inside this page (passwords, etc.) and also do things as logged in client (like buy something, send bomb threats in a mail client, etc.). Note that this kind of activity can often be hidden from the client so that he/she does not realize that he/she is currently attacked.






                          share|improve this answer















                          Attacker-controlled code, which runs within the context of the web application on the client side, has full control over what the client does and can also read the DOM of the HTML page, etc.



                          This means it can both steal secrets which are inside this page (passwords, etc.) and also do things as logged in client (like buy something, send bomb threats in a mail client, etc.). Note that this kind of activity can often be hidden from the client so that he/she does not realize that he/she is currently attacked.







                          share|improve this answer














                          share|improve this answer



                          share|improve this answer








                          edited Apr 3 at 12:39









                          Peter Mortensen

                          71249




                          71249










                          answered Apr 1 at 4:26









                          Steffen UllrichSteffen Ullrich

                          121k16209277




                          121k16209277





















                              10















                              When XSS was first becoming widely known in the web application
                              security community, some professional penetration testers were
                              inclined to regard XSS as a “lame” vulnerability




                              source: Web Application Hackers Handbook



                              XSS is a command injection of the client side, like the other user pointed out, it can result in any action that can be performed by the user. Mostly XSS is used for session hijacking where the attacker using javascript makes the victim transmit session cookies to an attacker-controlled server and from there the attacker can perform "session riding".



                              But XSS can also result in complete application takeover. Consider a scenario in which you inject javascript and it gets stored. The admin then loads that into a web browser (usually logs or CMS). If an XSS is present there you now have the admin session tokens. That is why XSS can be very dangerous.






                              share|improve this answer




















                              • 1





                                Not just stored XSS but what if you send a malicious URL to the admin? The same threat applies.

                                – schroeder
                                Apr 1 at 9:38











                              • Absolutely.I didnt write it because i only wanted to add what steffen wrote.

                                – Vipul Nair
                                Apr 1 at 18:19















                              10















                              When XSS was first becoming widely known in the web application
                              security community, some professional penetration testers were
                              inclined to regard XSS as a “lame” vulnerability




                              source: Web Application Hackers Handbook



                              XSS is a command injection of the client side, like the other user pointed out, it can result in any action that can be performed by the user. Mostly XSS is used for session hijacking where the attacker using javascript makes the victim transmit session cookies to an attacker-controlled server and from there the attacker can perform "session riding".



                              But XSS can also result in complete application takeover. Consider a scenario in which you inject javascript and it gets stored. The admin then loads that into a web browser (usually logs or CMS). If an XSS is present there you now have the admin session tokens. That is why XSS can be very dangerous.






                              share|improve this answer




















                              • 1





                                Not just stored XSS but what if you send a malicious URL to the admin? The same threat applies.

                                – schroeder
                                Apr 1 at 9:38











                              • Absolutely.I didnt write it because i only wanted to add what steffen wrote.

                                – Vipul Nair
                                Apr 1 at 18:19













                              10












                              10








                              10








                              When XSS was first becoming widely known in the web application
                              security community, some professional penetration testers were
                              inclined to regard XSS as a “lame” vulnerability




                              source: Web Application Hackers Handbook



                              XSS is a command injection of the client side, like the other user pointed out, it can result in any action that can be performed by the user. Mostly XSS is used for session hijacking where the attacker using javascript makes the victim transmit session cookies to an attacker-controlled server and from there the attacker can perform "session riding".



                              But XSS can also result in complete application takeover. Consider a scenario in which you inject javascript and it gets stored. The admin then loads that into a web browser (usually logs or CMS). If an XSS is present there you now have the admin session tokens. That is why XSS can be very dangerous.






                              share|improve this answer
















                              When XSS was first becoming widely known in the web application
                              security community, some professional penetration testers were
                              inclined to regard XSS as a “lame” vulnerability




                              source: Web Application Hackers Handbook



                              XSS is a command injection of the client side, like the other user pointed out, it can result in any action that can be performed by the user. Mostly XSS is used for session hijacking where the attacker using javascript makes the victim transmit session cookies to an attacker-controlled server and from there the attacker can perform "session riding".



                              But XSS can also result in complete application takeover. Consider a scenario in which you inject javascript and it gets stored. The admin then loads that into a web browser (usually logs or CMS). If an XSS is present there you now have the admin session tokens. That is why XSS can be very dangerous.







                              share|improve this answer














                              share|improve this answer



                              share|improve this answer








                              edited Apr 1 at 9:38









                              schroeder

                              79.3k30176213




                              79.3k30176213










                              answered Apr 1 at 5:54









                              Vipul NairVipul Nair

                              308114




                              308114







                              • 1





                                Not just stored XSS but what if you send a malicious URL to the admin? The same threat applies.

                                – schroeder
                                Apr 1 at 9:38











                              • Absolutely.I didnt write it because i only wanted to add what steffen wrote.

                                – Vipul Nair
                                Apr 1 at 18:19












                              • 1





                                Not just stored XSS but what if you send a malicious URL to the admin? The same threat applies.

                                – schroeder
                                Apr 1 at 9:38











                              • Absolutely.I didnt write it because i only wanted to add what steffen wrote.

                                – Vipul Nair
                                Apr 1 at 18:19







                              1




                              1





                              Not just stored XSS but what if you send a malicious URL to the admin? The same threat applies.

                              – schroeder
                              Apr 1 at 9:38





                              Not just stored XSS but what if you send a malicious URL to the admin? The same threat applies.

                              – schroeder
                              Apr 1 at 9:38













                              Absolutely.I didnt write it because i only wanted to add what steffen wrote.

                              – Vipul Nair
                              Apr 1 at 18:19





                              Absolutely.I didnt write it because i only wanted to add what steffen wrote.

                              – Vipul Nair
                              Apr 1 at 18:19











                              9














                              An XSS attack is not a danger to the server. It's a danger to the reason you have a server. Not in a technical sense but very much a human one, as any kind of XSS attack originating from your site usually ends with your reputation down the toilet. A few test cases:



                              • Someone redirects from your site to a fake login page. Now you have a potential mass security breach of user accounts on your site.

                              • Someone puts a cryptominer on your site. This will make your visitors' machines work overtime and when spotted, makes you look either grossly greedy and/or grossly incompetent as a sysadmin. Neither of which is a good look.

                              • Someone redirects traffic from your site to a competitor. I shouldn't have to explain why this is bad.

                              • Someone puts some javascript in there that makes your site unusable or even crash browsers. Again, should be obvious why this is bad.

                              • Someone puts DDOS code in your site to try take down your site or a third party. If aimed at you, should be obvious why this is bad. If aimed at someone else and your site is deemed culpable, your hosting provider can cut you off if you do not fix your site for breach of contract.

                              • Someone replaces your ads with their own. If you rely on ad revenue, they're stealing that revenue.

                              • Someone uses it to snoop on your users. Hel-lo, breach of GDPR.





                              share|improve this answer



























                                9














                                An XSS attack is not a danger to the server. It's a danger to the reason you have a server. Not in a technical sense but very much a human one, as any kind of XSS attack originating from your site usually ends with your reputation down the toilet. A few test cases:



                                • Someone redirects from your site to a fake login page. Now you have a potential mass security breach of user accounts on your site.

                                • Someone puts a cryptominer on your site. This will make your visitors' machines work overtime and when spotted, makes you look either grossly greedy and/or grossly incompetent as a sysadmin. Neither of which is a good look.

                                • Someone redirects traffic from your site to a competitor. I shouldn't have to explain why this is bad.

                                • Someone puts some javascript in there that makes your site unusable or even crash browsers. Again, should be obvious why this is bad.

                                • Someone puts DDOS code in your site to try take down your site or a third party. If aimed at you, should be obvious why this is bad. If aimed at someone else and your site is deemed culpable, your hosting provider can cut you off if you do not fix your site for breach of contract.

                                • Someone replaces your ads with their own. If you rely on ad revenue, they're stealing that revenue.

                                • Someone uses it to snoop on your users. Hel-lo, breach of GDPR.





                                share|improve this answer

























                                  9












                                  9








                                  9







                                  An XSS attack is not a danger to the server. It's a danger to the reason you have a server. Not in a technical sense but very much a human one, as any kind of XSS attack originating from your site usually ends with your reputation down the toilet. A few test cases:



                                  • Someone redirects from your site to a fake login page. Now you have a potential mass security breach of user accounts on your site.

                                  • Someone puts a cryptominer on your site. This will make your visitors' machines work overtime and when spotted, makes you look either grossly greedy and/or grossly incompetent as a sysadmin. Neither of which is a good look.

                                  • Someone redirects traffic from your site to a competitor. I shouldn't have to explain why this is bad.

                                  • Someone puts some javascript in there that makes your site unusable or even crash browsers. Again, should be obvious why this is bad.

                                  • Someone puts DDOS code in your site to try take down your site or a third party. If aimed at you, should be obvious why this is bad. If aimed at someone else and your site is deemed culpable, your hosting provider can cut you off if you do not fix your site for breach of contract.

                                  • Someone replaces your ads with their own. If you rely on ad revenue, they're stealing that revenue.

                                  • Someone uses it to snoop on your users. Hel-lo, breach of GDPR.





                                  share|improve this answer













                                  An XSS attack is not a danger to the server. It's a danger to the reason you have a server. Not in a technical sense but very much a human one, as any kind of XSS attack originating from your site usually ends with your reputation down the toilet. A few test cases:



                                  • Someone redirects from your site to a fake login page. Now you have a potential mass security breach of user accounts on your site.

                                  • Someone puts a cryptominer on your site. This will make your visitors' machines work overtime and when spotted, makes you look either grossly greedy and/or grossly incompetent as a sysadmin. Neither of which is a good look.

                                  • Someone redirects traffic from your site to a competitor. I shouldn't have to explain why this is bad.

                                  • Someone puts some javascript in there that makes your site unusable or even crash browsers. Again, should be obvious why this is bad.

                                  • Someone puts DDOS code in your site to try take down your site or a third party. If aimed at you, should be obvious why this is bad. If aimed at someone else and your site is deemed culpable, your hosting provider can cut you off if you do not fix your site for breach of contract.

                                  • Someone replaces your ads with their own. If you rely on ad revenue, they're stealing that revenue.

                                  • Someone uses it to snoop on your users. Hel-lo, breach of GDPR.






                                  share|improve this answer












                                  share|improve this answer



                                  share|improve this answer










                                  answered Apr 1 at 16:09









                                  520520

                                  51524




                                  51524





















                                      7














                                      Most of the possible consequences of XSS vulnerabilities affect the user, not your server. So if you don't care about your user getting their accounts on your website compromised or your users seeing content on your website which doesn't come from your server, sure, ignore those vulnerabilities.



                                      But if your users have admin rights, then an XSS vulnerability can easily lead to unintentional admin actions. A classic case of that is a log viewer in your admin area which isn't XSS-proof. Some javascript snippets in your access logs might get executed by your admins and perform administrative actions under their account. This is why you sometimes see javascript snippets in the HTTP headers of the bots which try to hack your website.






                                      share|improve this answer



























                                        7














                                        Most of the possible consequences of XSS vulnerabilities affect the user, not your server. So if you don't care about your user getting their accounts on your website compromised or your users seeing content on your website which doesn't come from your server, sure, ignore those vulnerabilities.



                                        But if your users have admin rights, then an XSS vulnerability can easily lead to unintentional admin actions. A classic case of that is a log viewer in your admin area which isn't XSS-proof. Some javascript snippets in your access logs might get executed by your admins and perform administrative actions under their account. This is why you sometimes see javascript snippets in the HTTP headers of the bots which try to hack your website.






                                        share|improve this answer

























                                          7












                                          7








                                          7







                                          Most of the possible consequences of XSS vulnerabilities affect the user, not your server. So if you don't care about your user getting their accounts on your website compromised or your users seeing content on your website which doesn't come from your server, sure, ignore those vulnerabilities.



                                          But if your users have admin rights, then an XSS vulnerability can easily lead to unintentional admin actions. A classic case of that is a log viewer in your admin area which isn't XSS-proof. Some javascript snippets in your access logs might get executed by your admins and perform administrative actions under their account. This is why you sometimes see javascript snippets in the HTTP headers of the bots which try to hack your website.






                                          share|improve this answer













                                          Most of the possible consequences of XSS vulnerabilities affect the user, not your server. So if you don't care about your user getting their accounts on your website compromised or your users seeing content on your website which doesn't come from your server, sure, ignore those vulnerabilities.



                                          But if your users have admin rights, then an XSS vulnerability can easily lead to unintentional admin actions. A classic case of that is a log viewer in your admin area which isn't XSS-proof. Some javascript snippets in your access logs might get executed by your admins and perform administrative actions under their account. This is why you sometimes see javascript snippets in the HTTP headers of the bots which try to hack your website.







                                          share|improve this answer












                                          share|improve this answer



                                          share|improve this answer










                                          answered Apr 1 at 15:30









                                          PhilippPhilipp

                                          45.3k8116142




                                          45.3k8116142





















                                              4














                                              To give you a real life example where XSS was used to directly take over the server in an incident about 10 years ago (although I have forgotten the name of the (small/unimportant) website and I doubt it exists anymore):



                                              Report to webmaster: "There is XSS vulnerability on your website. You should fix this. How should I send you the details?"



                                              Answer of the wannabe webmaster: "Show me how you would misuse this. My server is super secure! Try it if you want but you will have no chance."



                                              Answer of the reporter: "Then take a look at my profile page on your website."



                                              The webmaster did this and suddenly the whole website was dead. What happened? The reporter used a XSS vulnerability to insert JavaScript code on his profile page.



                                              The JavaScript code (running in the browser and session of the webmaster) sent requests to the server to:



                                              1. add a new account with with highest rights (for demonstration purposes)

                                              2. to rename PHP-files and SQL-tables on the server (the website had a administration section which allowed this for administration purposes like updates or installing widgets similar to many CMS-systems)

                                              Additional damage could have been done by sending a request to the hosting company to cancel the subscription of the server and of the domain and transfer money from his banking account (provided the webmaster was logged in the hoster/domain registrar/bank and they had no CSRF-protection which wasn't that uncommon 10 years ago).



                                              Also don't forget XSS-worms like the MySpace-worm Samy that spread over all profile pages and might DDOS your server or harm your users.






                                              share|improve this answer























                                              • Thank you. I now clearly understood how can xss be used to break a website. But how do you rename the php files and sql tables on the server? can javascript be used to rename a file sitting on the server? and what if the file was not within the same directory as the webpage? and can we run sql queries using javascript?

                                                – Sai Kumar
                                                Apr 3 at 3:53












                                              • The Website had a web administration tool similar to phpMyAdmin which allows editing SQL tables and PHP files with a web gui instead of needing SSH or similar. The JavaScript sent a request similar as the one that tool would do. What files are in danger depends on the capabilities, security and permissions of the administration tool.

                                                – H. Idden
                                                Apr 3 at 7:06















                                              4














                                              To give you a real life example where XSS was used to directly take over the server in an incident about 10 years ago (although I have forgotten the name of the (small/unimportant) website and I doubt it exists anymore):



                                              Report to webmaster: "There is XSS vulnerability on your website. You should fix this. How should I send you the details?"



                                              Answer of the wannabe webmaster: "Show me how you would misuse this. My server is super secure! Try it if you want but you will have no chance."



                                              Answer of the reporter: "Then take a look at my profile page on your website."



                                              The webmaster did this and suddenly the whole website was dead. What happened? The reporter used a XSS vulnerability to insert JavaScript code on his profile page.



                                              The JavaScript code (running in the browser and session of the webmaster) sent requests to the server to:



                                              1. add a new account with with highest rights (for demonstration purposes)

                                              2. to rename PHP-files and SQL-tables on the server (the website had a administration section which allowed this for administration purposes like updates or installing widgets similar to many CMS-systems)

                                              Additional damage could have been done by sending a request to the hosting company to cancel the subscription of the server and of the domain and transfer money from his banking account (provided the webmaster was logged in the hoster/domain registrar/bank and they had no CSRF-protection which wasn't that uncommon 10 years ago).



                                              Also don't forget XSS-worms like the MySpace-worm Samy that spread over all profile pages and might DDOS your server or harm your users.






                                              share|improve this answer























                                              • Thank you. I now clearly understood how can xss be used to break a website. But how do you rename the php files and sql tables on the server? can javascript be used to rename a file sitting on the server? and what if the file was not within the same directory as the webpage? and can we run sql queries using javascript?

                                                – Sai Kumar
                                                Apr 3 at 3:53












                                              • The Website had a web administration tool similar to phpMyAdmin which allows editing SQL tables and PHP files with a web gui instead of needing SSH or similar. The JavaScript sent a request similar as the one that tool would do. What files are in danger depends on the capabilities, security and permissions of the administration tool.

                                                – H. Idden
                                                Apr 3 at 7:06













                                              4












                                              4








                                              4







                                              To give you a real life example where XSS was used to directly take over the server in an incident about 10 years ago (although I have forgotten the name of the (small/unimportant) website and I doubt it exists anymore):



                                              Report to webmaster: "There is XSS vulnerability on your website. You should fix this. How should I send you the details?"



                                              Answer of the wannabe webmaster: "Show me how you would misuse this. My server is super secure! Try it if you want but you will have no chance."



                                              Answer of the reporter: "Then take a look at my profile page on your website."



                                              The webmaster did this and suddenly the whole website was dead. What happened? The reporter used a XSS vulnerability to insert JavaScript code on his profile page.



                                              The JavaScript code (running in the browser and session of the webmaster) sent requests to the server to:



                                              1. add a new account with with highest rights (for demonstration purposes)

                                              2. to rename PHP-files and SQL-tables on the server (the website had a administration section which allowed this for administration purposes like updates or installing widgets similar to many CMS-systems)

                                              Additional damage could have been done by sending a request to the hosting company to cancel the subscription of the server and of the domain and transfer money from his banking account (provided the webmaster was logged in the hoster/domain registrar/bank and they had no CSRF-protection which wasn't that uncommon 10 years ago).



                                              Also don't forget XSS-worms like the MySpace-worm Samy that spread over all profile pages and might DDOS your server or harm your users.






                                              share|improve this answer













                                              To give you a real life example where XSS was used to directly take over the server in an incident about 10 years ago (although I have forgotten the name of the (small/unimportant) website and I doubt it exists anymore):



                                              Report to webmaster: "There is XSS vulnerability on your website. You should fix this. How should I send you the details?"



                                              Answer of the wannabe webmaster: "Show me how you would misuse this. My server is super secure! Try it if you want but you will have no chance."



                                              Answer of the reporter: "Then take a look at my profile page on your website."



                                              The webmaster did this and suddenly the whole website was dead. What happened? The reporter used a XSS vulnerability to insert JavaScript code on his profile page.



                                              The JavaScript code (running in the browser and session of the webmaster) sent requests to the server to:



                                              1. add a new account with with highest rights (for demonstration purposes)

                                              2. to rename PHP-files and SQL-tables on the server (the website had a administration section which allowed this for administration purposes like updates or installing widgets similar to many CMS-systems)

                                              Additional damage could have been done by sending a request to the hosting company to cancel the subscription of the server and of the domain and transfer money from his banking account (provided the webmaster was logged in the hoster/domain registrar/bank and they had no CSRF-protection which wasn't that uncommon 10 years ago).



                                              Also don't forget XSS-worms like the MySpace-worm Samy that spread over all profile pages and might DDOS your server or harm your users.







                                              share|improve this answer












                                              share|improve this answer



                                              share|improve this answer










                                              answered Apr 2 at 21:24









                                              H. IddenH. Idden

                                              2,7841715




                                              2,7841715












                                              • Thank you. I now clearly understood how can xss be used to break a website. But how do you rename the php files and sql tables on the server? can javascript be used to rename a file sitting on the server? and what if the file was not within the same directory as the webpage? and can we run sql queries using javascript?

                                                – Sai Kumar
                                                Apr 3 at 3:53












                                              • The Website had a web administration tool similar to phpMyAdmin which allows editing SQL tables and PHP files with a web gui instead of needing SSH or similar. The JavaScript sent a request similar as the one that tool would do. What files are in danger depends on the capabilities, security and permissions of the administration tool.

                                                – H. Idden
                                                Apr 3 at 7:06

















                                              • Thank you. I now clearly understood how can xss be used to break a website. But how do you rename the php files and sql tables on the server? can javascript be used to rename a file sitting on the server? and what if the file was not within the same directory as the webpage? and can we run sql queries using javascript?

                                                – Sai Kumar
                                                Apr 3 at 3:53












                                              • The Website had a web administration tool similar to phpMyAdmin which allows editing SQL tables and PHP files with a web gui instead of needing SSH or similar. The JavaScript sent a request similar as the one that tool would do. What files are in danger depends on the capabilities, security and permissions of the administration tool.

                                                – H. Idden
                                                Apr 3 at 7:06
















                                              Thank you. I now clearly understood how can xss be used to break a website. But how do you rename the php files and sql tables on the server? can javascript be used to rename a file sitting on the server? and what if the file was not within the same directory as the webpage? and can we run sql queries using javascript?

                                              – Sai Kumar
                                              Apr 3 at 3:53






                                              Thank you. I now clearly understood how can xss be used to break a website. But how do you rename the php files and sql tables on the server? can javascript be used to rename a file sitting on the server? and what if the file was not within the same directory as the webpage? and can we run sql queries using javascript?

                                              – Sai Kumar
                                              Apr 3 at 3:53














                                              The Website had a web administration tool similar to phpMyAdmin which allows editing SQL tables and PHP files with a web gui instead of needing SSH or similar. The JavaScript sent a request similar as the one that tool would do. What files are in danger depends on the capabilities, security and permissions of the administration tool.

                                              – H. Idden
                                              Apr 3 at 7:06





                                              The Website had a web administration tool similar to phpMyAdmin which allows editing SQL tables and PHP files with a web gui instead of needing SSH or similar. The JavaScript sent a request similar as the one that tool would do. What files are in danger depends on the capabilities, security and permissions of the administration tool.

                                              – H. Idden
                                              Apr 3 at 7:06











                                              2














                                              It looks like you're looking for danger to the server (including SQL etc.), not the client, so many dangers don't apply.



                                              But there is a danger to the server from what the client is allowed to do on the server. If the client has permission to change the database, so can an attacker. And the same goes for anything a client has permission to do on the server.






                                              share|improve this answer





























                                                2














                                                It looks like you're looking for danger to the server (including SQL etc.), not the client, so many dangers don't apply.



                                                But there is a danger to the server from what the client is allowed to do on the server. If the client has permission to change the database, so can an attacker. And the same goes for anything a client has permission to do on the server.






                                                share|improve this answer



























                                                  2












                                                  2








                                                  2







                                                  It looks like you're looking for danger to the server (including SQL etc.), not the client, so many dangers don't apply.



                                                  But there is a danger to the server from what the client is allowed to do on the server. If the client has permission to change the database, so can an attacker. And the same goes for anything a client has permission to do on the server.






                                                  share|improve this answer















                                                  It looks like you're looking for danger to the server (including SQL etc.), not the client, so many dangers don't apply.



                                                  But there is a danger to the server from what the client is allowed to do on the server. If the client has permission to change the database, so can an attacker. And the same goes for anything a client has permission to do on the server.







                                                  share|improve this answer














                                                  share|improve this answer



                                                  share|improve this answer








                                                  edited Apr 1 at 9:49

























                                                  answered Apr 1 at 8:06









                                                  User42User42

                                                  1974




                                                  1974





















                                                      0














                                                      You have from other answers a very good list of technical reasons why XSS is a problem. I will give another perspective.



                                                      XSS is a vulnerability which is quite easy to bring into your code, and is discoverable by scanners. This is probably one of the reasons why it is relatively well known to the "general public", including journalists (in the sense of "I heard about that").



                                                      If you have one publicly available, it may then be described as




                                                      Sai Kumar LLC has an extremely vulnerable site, because it has an XSS.
                                                      XSS is a Very Dangerous Vulnerability. Very. It is.



                                                      It allows all
                                                      your data to be stolen. It does. The͟ ̨da҉t͘a̵ ͢haś ̴al͞r̀ead́y
                                                      ͠b̷e̷e̶n̨ s͝t͜o̢l͝e͜n. Įt̨ ̷ha̵s.




                                                      You can then do all kind of belly dancing explaining that it is not the vulnerability, the erratum will be posted in font 3 pt on page 74, grayed out.



                                                      This is why I systematically raise the CVSS of XSS findings on my public web sites (when they are revealed by a pentest, scan or other tests).






                                                      share|improve this answer



























                                                        0














                                                        You have from other answers a very good list of technical reasons why XSS is a problem. I will give another perspective.



                                                        XSS is a vulnerability which is quite easy to bring into your code, and is discoverable by scanners. This is probably one of the reasons why it is relatively well known to the "general public", including journalists (in the sense of "I heard about that").



                                                        If you have one publicly available, it may then be described as




                                                        Sai Kumar LLC has an extremely vulnerable site, because it has an XSS.
                                                        XSS is a Very Dangerous Vulnerability. Very. It is.



                                                        It allows all
                                                        your data to be stolen. It does. The͟ ̨da҉t͘a̵ ͢haś ̴al͞r̀ead́y
                                                        ͠b̷e̷e̶n̨ s͝t͜o̢l͝e͜n. Įt̨ ̷ha̵s.




                                                        You can then do all kind of belly dancing explaining that it is not the vulnerability, the erratum will be posted in font 3 pt on page 74, grayed out.



                                                        This is why I systematically raise the CVSS of XSS findings on my public web sites (when they are revealed by a pentest, scan or other tests).






                                                        share|improve this answer

























                                                          0












                                                          0








                                                          0







                                                          You have from other answers a very good list of technical reasons why XSS is a problem. I will give another perspective.



                                                          XSS is a vulnerability which is quite easy to bring into your code, and is discoverable by scanners. This is probably one of the reasons why it is relatively well known to the "general public", including journalists (in the sense of "I heard about that").



                                                          If you have one publicly available, it may then be described as




                                                          Sai Kumar LLC has an extremely vulnerable site, because it has an XSS.
                                                          XSS is a Very Dangerous Vulnerability. Very. It is.



                                                          It allows all
                                                          your data to be stolen. It does. The͟ ̨da҉t͘a̵ ͢haś ̴al͞r̀ead́y
                                                          ͠b̷e̷e̶n̨ s͝t͜o̢l͝e͜n. Įt̨ ̷ha̵s.




                                                          You can then do all kind of belly dancing explaining that it is not the vulnerability, the erratum will be posted in font 3 pt on page 74, grayed out.



                                                          This is why I systematically raise the CVSS of XSS findings on my public web sites (when they are revealed by a pentest, scan or other tests).






                                                          share|improve this answer













                                                          You have from other answers a very good list of technical reasons why XSS is a problem. I will give another perspective.



                                                          XSS is a vulnerability which is quite easy to bring into your code, and is discoverable by scanners. This is probably one of the reasons why it is relatively well known to the "general public", including journalists (in the sense of "I heard about that").



                                                          If you have one publicly available, it may then be described as




                                                          Sai Kumar LLC has an extremely vulnerable site, because it has an XSS.
                                                          XSS is a Very Dangerous Vulnerability. Very. It is.



                                                          It allows all
                                                          your data to be stolen. It does. The͟ ̨da҉t͘a̵ ͢haś ̴al͞r̀ead́y
                                                          ͠b̷e̷e̶n̨ s͝t͜o̢l͝e͜n. Įt̨ ̷ha̵s.




                                                          You can then do all kind of belly dancing explaining that it is not the vulnerability, the erratum will be posted in font 3 pt on page 74, grayed out.



                                                          This is why I systematically raise the CVSS of XSS findings on my public web sites (when they are revealed by a pentest, scan or other tests).







                                                          share|improve this answer












                                                          share|improve this answer



                                                          share|improve this answer










                                                          answered Apr 3 at 14:55









                                                          WoJWoJ

                                                          7,22312544




                                                          7,22312544



























                                                              draft saved

                                                              draft discarded
















































                                                              Thanks for contributing an answer to Information Security Stack Exchange!


                                                              • Please be sure to answer the question. Provide details and share your research!

                                                              But avoid


                                                              • Asking for help, clarification, or responding to other answers.

                                                              • Making statements based on opinion; back them up with references or personal experience.

                                                              To learn more, see our tips on writing great answers.




                                                              draft saved


                                                              draft discarded














                                                              StackExchange.ready(
                                                              function ()
                                                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206520%2fhow-dangerous-is-xss%23new-answer', 'question_page');

                                                              );

                                                              Post as a guest















                                                              Required, but never shown





















































                                                              Required, but never shown














                                                              Required, but never shown












                                                              Required, but never shown







                                                              Required, but never shown

































                                                              Required, but never shown














                                                              Required, but never shown












                                                              Required, but never shown







                                                              Required, but never shown







                                                              Popular posts from this blog

                                                              Adding axes to figuresAdding axes labels to LaTeX figuresLaTeX equivalent of ConTeXt buffersRotate a node but not its content: the case of the ellipse decorationHow to define the default vertical distance between nodes?TikZ scaling graphic and adjust node position and keep font sizeNumerical conditional within tikz keys?adding axes to shapesAlign axes across subfiguresAdding figures with a certain orderLine up nested tikz enviroments or how to get rid of themAdding axes labels to LaTeX figures

                                                              Tähtien Talli Jäsenet | Lähteet | NavigointivalikkoSuomen Hippos – Tähtien Talli

                                                              Do these cracks on my tires look bad? The Next CEO of Stack OverflowDry rot tire should I replace?Having to replace tiresFishtailed so easily? Bad tires? ABS?Filling the tires with something other than air, to avoid puncture hassles?Used Michelin tires safe to install?Do these tyre cracks necessitate replacement?Rumbling noise: tires or mechanicalIs it possible to fix noisy feathered tires?Are bad winter tires still better than summer tires in winter?Torque converter failure - Related to replacing only 2 tires?Why use snow tires on all 4 wheels on 2-wheel-drive cars?