What are the different types of XSS attacks?
Overview
Cross-site scripting (XSS) attacks refer to the process of abusing the Same Origin Policy to inject malicious code into the client’s machine without the client’s knowledge.
Types of XSS
There are three types of XSS attacks:
- Reflected XSS attacks
- Stored XSS attacks
- DOM-based XSS attacks
Let’s discuss them in detail.
Reflected XSS
We can use the information the user enters on a webpage in an HTML request to get a response from the application’s backend. If the input is not
Example
We can take the example of a simple website that requests user input, displays search results, and echoes the term on the next page.
The URL below is an example URL, not an actual one.
https://badexample.com/search?term=educative
The user inputs educative in the URL above echoed on the next page.
The code below displays the headline before returning the search results.
const Message = () => {let text = "<h1>You searched for: \"" + input + "\"</h1>";return (<div> dangerouslySetInnerHTML={{__html: text}} />// React escapes HTML code automatically// while rendering the page. However, the// function above is used for purposely// not escaping inner HTML.);}
Explanation
The explanation of the above code is as follows:
- Line 2: This contains the harmful piece of code that can result in an XSS attack.
- Line 5: This contains a function that has been provided by React, which does not escape text on purpose.
Here, the user may input some malicious code since the input isn’t being sanitized. The user can use the following input as the searched term:
<script>alert("haha! you've been pwned!")</script>
The following URL is created with the input above and can execute the code injected inside the URL for whoever clicks on it.
https://badexample.com/search?term=<script>alert("haha! you've been pwned!")</script>
Stored XSS
As the name suggests, this type of XSS stores malicious code in a data store. This way, whenever the stored data is fetched, it can trigger malicious activity for the person requesting the data. Below, we’ve got an illustration that demonstrates the stored XSS attack:
The attacker will enter malicious code where the application requests user input, and the application will store the code in a data store. When a new user fetches the code containing the injected script from the data store, their application will execute the malicious code.
DOM-based XSS
The XSS attack is also known as type-0 XSS. Applications vulnerable to this attack can directly have their DOM modified. It is neither stored nor reflected. The application is injected with the malicious code without requests hitting the server or the data store.
This kind of attack came into being when developers kept more functionalities on the user side to minimize the application-server interaction due to browser vulnerabilities. This required the URI to track user activity in the application.
The attacker can alter the URI and modify the DOM, provided the URI is used as raw HTML in the code.
$(document).onload(function(){let page = window.location.hash;loagPage(page);$("#page-no").html(page);});
Explanation
The explanation of the above code is as follows:
- Line 3: The
window.location.hashis a DOM property that returns or sets the anchor part of the URL. For example, if our location iseducative.io\answers#2, thenwindow.locationis set to#2.
Modifying this to the desired malicious script can result in a DOM-based XSS attack. - Line 5: This function performs a specific set task, depending upon what the page number is, when we call it.
- Line 7: We use this method in jQuery to set the inner HTML for the first matched query given inside the parenthesis. For the element with the ID
#page-no, the.html(page)method sets the element to whatever the value ofpageis.
Free Resources