Page 72 - Hands-On Bug Hunting for Penetration Testers
P. 72

Unsanitized Data – An XSS Case Study                                 Chapter 4

            Reflected XSS is when the injected script is reflected off of the target server through a page
            of search results, an error message, or an other message made up in part by the user's input.
            Reflected XSS can be very damaging because it leverages the trust of the server the code is
            being reflected from.

            There's also DOM-based XSS, a more specialized type of the attack that relies on a user
            being supplied a hacker-generated link containing an XSS payload, which will prompt the
            user's browser to open the link, echoing back the payload as it constructs the DOM, and
            executes the code.

            Although stored/persistent XSS, reflected XSS, and DOM-based XSS are all possible
            groupings of XSS varieties, another way of thinking about the different types of XSS is
            dividing the bug into client XSS and server XSS. In this framework, there are both stored
            and reflected types for both the client and server variations: Server XSS occurs when
            unverified user data is supplied by the server, either through a request (reflected XSS) or
            stored locations (stored XSS), while client XSS is just the execution of unverified code in the
            client, from the same locations.
            We'll cover a mix of techniques for detecting XSS, some of which will apply only to specific
            types, others to a wider variety of attacks.


            Testing for XSS ` Where to Find It, How to


            Verify It

            There are several great methods for discovering XSS. We'll start with a tool we've already
            begun using in preparing for an engagement, diving into some new parts of Burp and an
            XSS-related Burp extension.



            Burp Suite and XSS Validator

            One problem with automated and semi-automated solutions for XSS is distinguishing
            signal from noise. To do that, a useful Burp plugin, XSS Validator, runs a PhantomJS-
            powered web server to receive the results of Burp queries and looks for a string injected
            into the BMFSU   call embedded within the applied XSS snippets. It provides a clean way of
            culling the results of your XSS submissions to absolute confirmed vulnerabilities.








                                                    [ 57 ]
   67   68   69   70   71   72   73   74   75   76   77