Threat Analysis: What Damage Can Be Done by Targeting XSS?

Let’s put things simply regarding XSS attack vectors. You just have to focus on user controlled data, regardless its source. URL parameters and form data may be the first things to come to your mind, but there’s a lot more. You should realize that users control the HTTP request, and so request headers and cookies may also be sources of hostile data. Browser’s local storage is another typical attack vector since malicious actors may be able to tamper with it. If your application expects file uploads such as photos, and then you’re reading the photo’s metadata, then it can also be used as an attack vector. Finally, a less obvious source of hostile data– external services.

If the application retrieves data from other services, for example, by means of APIs, malicious actors may decide to go after those third party services, indirectly compromising your application. Any data source is a potential attack vector. Keep in mind that attackers will be able to execute code remotely on victims’ browsers. The first thing attackers will look for is session tokens. If they can exfiltrate such token from a victim’s browser, chances are they will be able to use it in another browser to impersonate the victim. This is called session highjacking.

Even if session hijacking is not possible, attackers will be able to use JavaScript to automate tasks to scrape user data from the DOM or to do some actions on victim’s behalf, such as fraudulent transactions. Being able to execute code remotely in specific pages, such as the login page, may give attackers access to credentials. There are other techniques to trick the browser and password managers to leak credentials. Among other impacts, attackers will always be able to exploit the trust relationship between the victim and the website owner, driving the former to download and install malware. Technical skills are required to identify and exploit the cross site scripting vulnerability.

Nevertheless, there are automated tools to assist this task and plenty of information about the subject. Threat agents may be after specific victims. Targeting an application administrator may allow attackers to gain control over a privileged account and access sensitive data or shut down the system. On the other hand, attackers may be interested in a particular individual, let’s say a VIP. If your application manages sensitive data, such as health records, the XSS exploitation may give attackers access to sensitive information regarding that individual. XSS can also be used for widespread attacks. It happened already in the past, creating a worm effect.

To identify threats agents, consider who may wants to gain control over your application, and how sensitive is the information your application manages, and who may want to access it. You’ll find this table in the OWASP Top 10. Pause the video and take your time to carefully read it. In the next part, we will exploit XSS on our intentionally vulnerable application.