XSS Exploitation

Learn how to exploit the three main types of XSS vulnerabilities with the OWASP Juice Shop.

Overview

Considering the different types of XSS attacks we’ve discussed, it’s fair to assume that the overall process of finding such vulnerabilities is not all that difficult. Despite modern browsers and frameworks having simplified web application development, sometimes a developer has to actually make an effort to add security bugs to their application. Nevertheless, it’s still quite important to know how these vulnerabilities are exploited before delegating the task to an automated tool or service.

Exploiting XSS vulnerabilities

Websites are rendered on the browser (alongside site business logic) as a combination of HTML, CSS, and JavaScript. This means that as long as the browser trusts the sources of the code, JavaScript especially, it will have no problem in executing it.

JavaScript is largely just like any other programming language, although with a few eccentricities. The same goes for HTML. As such, we can use the <script></script> tags to probe for basic vulnerabilities. For example, if a website has a form or a search bar, we can type <script> alert("Hello, World")</script> in the search bar or the form. This code prompts the users with a dialogue box with the message Hello World. This alerting methodology is the one most commonly used by pentesters because it’s both a simple yet brutal indicator of XSS vulnerabilities.

When a vulnerability is discovered, the adversary will often perform recon to see what’s the most they can get away with without getting caught.

Let’s look at more examples. A JavaScript element like document.documentElement.innerHTML contains all the HTML code of the web page. Changing this element to point to an empty string leads to a loss of the web page. The JavaScript code is injected into the webpage as <script>document.documentElement.innerHTML = ''</script>.

Other tags can also be used in the exploitation process. Let’s look at some below:

  • <body onload=alert('Hello World')>: This will result in the prompt automatically popping up whenever a user opens up a page.

  • <p onclick=alert('Hello!')>Click me for a surprise!</p>: This will result in a prompt being displayed whenever a user clicks on the element.

Now let’s look at each XSS vulnerability type with a practical example.

Reflected XSS

For reflected XSS, the biggest tell is usually the parameters in the URL. If you notice a value in the URL that is then displayed on the web page, you can start poking around there. Let’s confirm this with OWASP Juice Shop below:

  1. Click the “Run” button for the playground to load. After a while, we’ll see a message that says that the application is ready at port 3000.
  2. Click on the playground’s URL. The vulnerable web application will load in a new tab.
  3. Create a new account. Use bogus details.
  4. Log in using the new account.
  5. Add a number of items to the basket.
  6. Go to the basket, and provide an address and then payment details. Again, provide fake details.
  7. We’ll get a confirmation that our order has been placed.

Get hands-on with 1200+ tech skills courses.