Cross Site Scripting (XSS)

Cross-Site Scripting (also known as XSS) is one of the most common attacks on the application layer of a web app. XSS enables attackers to inject client-side scripts into web pages viewed by other users, effectively executing these scripts in the context of someone else's browser. The effects range from petty nuisance to serious security risks, depending on the data available in the browser for the given site/domain.

• Reflected (non-persistent): e.g. query param displayed without sanitization. An example of exploitation can be a URL link containing such malicious parameter which is then executed in the browser of the one who clicks it.
• Persistent: data stored on the server and displayed to a multitude of users. A typical example is a message board.

Examples:

• Shopify for the win (search field, December 2015!, intercepting request)
• Google's Image Search has been found guilty of this in 2015 too
• Uber's templates (technically, this is Template Injection, Ruby seems to be extremely vulnerable to this)

Tips

Test everything, all input fields are potential candidates, use proxy (submit positive values, tamper with them on the proxy), provide unexpected values (i.e. think about what malicious code is expected, come up with something innovative).

Test your skills

• https://google-gruyere.appspot.com/
• https://xss-game.appspot.com/level3

Links

• JSFuck, showing JS obfuscation, using only 6 characters to write any kind of code.
• A few examples of potentially malicious code
• XSS Cheat Sheet, showing all kinds of malicious snippets that might enable a malicious attacker to exploit XSS vulnerabilities.