Page 71 - Hands-On Bug Hunting for Penetration Testers
P. 71

Unsanitized Data – An XSS Case Study                                 Chapter 4

            Technical Requirements

            In this section, we'll continue to configure and use tools from our macOS Terminal
            command line. We'll also be using Burp Suite, the Burp extension XSS Validator, and
            information from the SecLists GitHub repository (IUUQT   HJUIVC DPN 4FD-JTUT) to power
            our malicious XSS snippet submissions. When we use a browser normally or in conjunction
            with Burp, we'll continue to use Chrome (             ). Using the XSS Validator
            extension will require us to install Phantomjs, a scriptable headless browser.

                         Please download Phantomjs from the official Phantomjs download
                         page: IUUQ   QIBOUPNKT PSH EPXOMPBE IUNM.






            A Quick Overview of XSS ` The Many

            Varieties of XSS

            XSS is a weakness inherent in the single-origin policy. The single-origin policy is a security
            mechanism that's been adopted by every modern browser and only allows pages to load
            from the same domain as the page doing the loading. But there are exceptions to allow for
            pages to load third-party assets d most web pages load external JavaScript, CSS, or
            images d and this is the vector through which XSS occurs.

            When a browser is loading the TSD attribute on an HTML tag, it's executing the code that
            attribute is pointing to. It doesn't have to be a file d it can just be code included in the
            attribute string. And it's not just the TSD attribute that can execute JavaScript.

            The following is an example of an XSS testing snippet. It uses the PONPVTFPWFS attribute to
            execute a JavaScript BMFSU   as a classic XSS canary:

                 B PONPVTFPWFS  BMFSU EPDVNFOU MPDBUJPO   ISFG     TOJQQFU UFYU  B

            EPDVNFOU MPDBUJPO is included as a way of easily referencing the exact URL where the
            XSS is occurring.

            The snippet we just referenced is an example of stored or persistent XSS because the  B
            tag with malicious JavaScript would be inserted via a form input as part of a comment or
            general text field, and then stored in the web app's database, where it could be retrieved
            and viewed by other users looking at that page. Then, when someone hovered over that
            element, its PONPVTFPWFS event would trigger the execution of the malicious XSS code.


                                                    [ 56 ]
   66   67   68   69   70   71   72   73   74   75   76