web analytics

How to Find XSS – Source:www.hackerone.com

Rate this post

Source: www.hackerone.com – Author: Haoxi Tan.

What Is XSS?

XSS, short for Cross-Site Scripting, is a common type of vulnerability in web applications that executes arbitrary JavaScript in the victim’s browser. XSS can often be chained with other vulnerabilities to mount more impactful attacks, such as information disclosure, account takeover, and even remote code execution.

XSS Vulnerabilities and How to Find Them

XSS vulnerabilities discovered by security researchers can be grouped into three general categories: reflected, stored, and DOM-based, but other interesting situations also crop up (like blind XSS and server-side XSS). In this article, we will introduce each type of XSS and share tips and tricks on how to look for them.

Payloads to Use

For effective testing of parameters that might end up executing JavaScript, polyglots (a piece of data that can be interpreted into different formats) are extremely useful, as are large lists of known XSS payloads that might work in different scenarios. 

For example, a straight-up ).

XSS in PDFs can also execute in the browser via vulnerable PDF rendering components that inadvertently allow JavaScript execution. For example, this report shows a stored XSS in the PDF rendering component in Slack (which allows users to upload PDFs and other files, and has a built-in PDF viewer for convenience). It was rated as a high-severity bug and had a payout close to $5000.

Stored XSS in PDF report

XSS in Electron Applications

Electron applications (such as Slack and Microsoft Teams) bundle a local NodeJS backend with a Chromium browser frontend. That means web application vulnerabilities apply to Electron applications and can even have more severe consequences. Execution of backend JavaScript can result in RCE (Remote Code Execution) on the local machine if the right requirements are met.

It's very easy to unpack and inspect the source code of Electron applications: find the app.asar file and use the asar utility from npm to extract it into a directory, then generate its lockfile and analyze it for vulnerabilities in JavaScript dependencies using npm audit:

asar extract app.asar app; cd app
npm i --package-lock-only
npm audit

Check its source code for any mention of nodeIntegration, and if nodeIntegration: true is present, it means XSS vulnerabilities can also execute backend NodeJs code and would lead to RCE. For example, an attacker that can execute arbitrary JavaScript in an Electron app can run require('child_process').exec('calc'); which uses the child_process module in NodeJS to run any commands on the machine.

Any XSS vulnerabilities that apply to normal web applications can also apply to Electron applications, especially stored and DOM-based XSS. For example, this RCE vulnerability in Rocket Chat's desktop app comes from execution of arbitrary HTML and JavaScript content in the context of the Electron application. Using an XSS vulnerability in its Markdown parser, the attacker could redirect the user to a malicious web page and use JavaScript to execute code on the local machine.

RCE vulnerability report

When testing Electron desktop applications, be sure to try various features that turn user input into HTML (like markdown and PDF rendering), and use tools such as Electronegativity to identify potential security misconfigurations and DOM-based vulnerabilities.

Conclusion

XSS is one of the most common vulnerabilities in web applications, and an ongoing area of security research. This article tries to scratch just beneath the surface to share tips and tricks for finding interesting XSS vulnerabilities, but nothing beats the curiosity, creativity, and persistence of a hacker (yes, I am talking about you) when it comes to finding novel vulnerabilities, exploits, and bypasses. 

Happy hacking!

Secure Your Web Application From XSS With HackerOne

HackerOne and our community of ethical hackers are best equipped to help organizations identify and remediate XSS and other vulnerabilities, whether through bug bountyPentest as a Service (PTaaS)Code Security Audit, or other solutions by considering the attacker's mindset on discovering a vulnerability.

Download the 7th Annual Hacker Powered Security Report to learn more about the impact of the top 10 HackerOne vulnerabilities, or contact HackerOne to get started taking on XSS vulnerabilities at your organization.

The 8th Annual Hacker-Powered Security Report

HPSR blog ad image

Original Post url: https://www.hackerone.com/ethical-hacker/how-to-find-xss

Category & Tags: -

Views: 0

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post