XSS Attacks

User-provided data, such as URL parameters, POST data payloads, or cookies, should always be considered untrusted and tainted. Furthermore, when processing an HTTP request, a web server may copy user-provided data into the body of the HTTP response that is sent back to the user. This behavior is called a “reflection”. Endpoints reflecting tainted data could allow attackers to inject code that would eventually be executed in the user’s browser. This could enable a wide range of serious attacks like accessing/modifying sensitive information or impersonating other users

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it

Types of XSS

1-Reflected XSS

2-Stored XSS

3-DOM Based XSS

These videos explain the impact of vulnerability and exploitation

https://www.youtube.com/watch?v=IWbmP0Z-yQg

https://www.youtube.com/watch?v=TeIK1244sSk

https://www.youtube.com/watch?v=PRDO0ZjYGfc

https://www.youtube.com/watch?v=Vr8nSmDz5B4&list=PLsB1gqjeUAh_yEuLgtZ0ppLlExcYOL2Kp&index=2

https://www.youtube.com/watch?v=hWQ4LuwVAsg&list=PLsB1gqjeUAh_yEuLgtZ0ppLlExcYOL2Kp&index=3

code analysis

PHP

Code Example:
$name = $_GET["name"];
echo "Welcome $name"; // Noncompliant
Compliant Solution:
$name = $_GET["name"];
$safename = htmlspecialchars($name);
echo "Welcome $safename";

Python

Noncompliant Code Example :
templates/xss_shared.html
<!doctype html>
<title>Hello from Flask</title>
{% if name %}
  <h1>Hello {{ name }}!</h1>
{% else %}
  <h1>Hello, World!</h1>
{% endif %}
xss.py
@xss.route('/insecure/no_template_engine_replace', methods =['GET'])
def no_template_engine_replace():
    param = request.args.get('param', 'not set')
    html = open('templates/xss_shared.html').read()
    response = make_response(html.replace('{{ name }}', param)) # Noncompliant: param is not sanitized
    return response
compliant Solution:
templates/xss_shared.html
<!doctype html>
<title>Hello from Flask</title>
{% if name %}
  <h1>Hello {{ name }}!</h1>
{% else %}
  <h1>Hello, World!</h1>
{% endif %}
xss.py
@xss.route('/secure/no_template_engine_sanitized_Markup_escape', methods =['GET'])
def no_template_engine_sanitized_Markup_escape():
    param = request.args.get('param', 'not set')
    param = Markup.escape(param)
    html = open('templates/xss_shared.html').read()
    response = make_response(html.replace('{{ name }}', param )) # Compliant: 'param' is sanitized by Markup.escape
    return response

java

Noncompliant Code Example:
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
  String name = req.getParameter("name");
  PrintWriter out = resp.getWriter();
  out.write("Hello " + name); // Noncompliant
}
Compliant Solution:
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
  String name = req.getParameter("name");
  String encodedName = org.owasp.encoder.Encode.forHtml(name);
  PrintWriter out = resp.getWriter();
  out.write("Hello " + encodedName);
}

This site explains the vulnerability in detail with challenges

https://portswigger.net/web-security/cross-site-scripting

XSS Bug Bounty Reports

https://hackerone.com/reports/409850

https://abdilahrf.github.io/bugbounty/got-access-to-dota-2-admin-panel-by-exploiting-in-game-feature

https://positive.security/blog/dompdf-rce

https://infosecwriteups.com/how-i-was-able-to-find-50-cross-site-scripting-xss-security-vulnerabilities-on-bugcrowd-public-ba33db2b0ab1