Is XSS Dangerous?

Web Hacking

Background

From observing several IT groups that I follow, many people keep asking, Is XSS dangerous?, How to upload a webshell via XSS?, Why is my XSS bug report not responded to? Is it because XSS is not dangerous?, Or maybe because the web admin is already you know what?, More or less those are the questions that come up, let’s discuss together what the characteristics of XSS are,

Definition

Cross-site scripting is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. –Wikipedia–

In simple way it’s roughly becomes like this, in an XSS vulnerability attackers can insert or input HTML tags that are rendered by the client (web browser), now in these HTML tags there is a language that can be executed which is javascript (tag <script>) (check xss payload https://www.xss-payloads.com/, if javascript cannot run but the HTML tag is still successfully rendered by the browser then the bug is categorized as HTML Injection

Confusion

So is XSS dangerous?, The answer is Depends, yeah just like my feelings to her :( if the XSS is only a self-XSS which means the XSS is only valid for our own user and has no impact on other users, then it can be said that the XSS is not valid, however if the XSS is reflected or stored especially if it can steal cookies then the XSS is quite dangerous, why?

Reflected XSS

If reflected on a GET parameter (example in a search feature using GET method

web.com/?search=<script>alert(1337)</script>

then in this case it can be used as a scam, example: the flow is like this, the attacker creates a javascript payload to redirect to a website made to look similar for scamming, or creates a fake form that overlays the original page and sends input data from the fake form to the attacker’s server, more or less like that or combined with a bit of social engineering -> https://github.com/laztname/xss

Stored XSS

If stored then our XSS payload scripts will be saved in the database, then on another page the website displays that payload data, then the XSS will run assuming the website is vulnerable to XSS, therefore the bad impact of Stored XSS/Overlay is attackers can steal other users’ cookies, because the attacker gets cookies then the attacker can perform cookie hijacking, which results in the attacker being able to log in as another user without knowing the username or password

Other Question

Can you upload a webshell via XSS? yes!, but the flow is like this

  1. The attacker finds an XSS vulnerability in the contact admin features
  2. The attacker sends an XSS payload to steal admin cookies or manipulate the page so the admin accidently type their username and password
  3. Sending cookies to the attacker’s server
  4. Performing session hijacking
  5. Successfully logging into the dashboard as admin
  6. Then just recon maybe find a file upload feature that is not properly filtered

So why are XSS bugs rarely responded to? because you’re not handsome enough maybe the report you made has not provided a clear picture to the admin/developer about how dangerous XSS is, if possible in a vulnerability report include how to reproduce, explain the impact in detail (this is very important), and recommendations that should be done, there are many vulnerability report writeups you can use as references

Also Read: Write a good Vulnerability Report

Maybe that’s all the response from someone who relies on luck, if there are wrong words or anything, please correct me, we are learning together ;) ccciiieeeeee

yes there in no image for this article~
for prevention of XSS attacks you can see here

Changelog:
2018-12-20 - First write
2024-02-11 - Minor change markdown