Bismillah
What an eventful day, the second day of Jr. Pentesting was all reading and a bit of practice. This first week I'm just learning, then next week I'll continue with my Portswigger practice, might even hit some Hackerone CTFs and Owasp Juice Shop.
Before all that, Ramadhan Mubarak to all my Muslim brothers and sisters out there. May Allah SWT help you grow closer to Him and work your way to Jannah.
Let's talk about some of the basics I've learned today.
Cross-site Scripting(XSS)
Definition: You remember sneaky? let's use that analogy again, in this case, let's think of Sneaky using Javascript to gain data from other users of a website.
So what sneaky does is create some malicious JS code and inject it into the web, which helps him collect info from other users.
Let's call this malicious JS an XSS payload.
XSS Payloads: the JS code Sneaky is using to do his stuff.
There are two sides to this:
Intention: what Sneaky wants the code to do
Modification: anything Sneaky needs to do to the code to adjust it to different web apps he wants to sneak into.
Examples of XSS
Proof of concept: just showcasing that there is a way to achieve XSS(think of Sneaky sending an alert to his other account in a Bug Bounty program).
Session Stealing: so, Sneaky logs into a web app and the website saves that account's login tokens in cookies.
Using the other account, he can find a way to access the information held by the cookies by redirecting his other account to a malicious site he owns.
Once he has the credentials he can take over the target's session and log in as the user.
Key Logger: Sneaky finds a way to ensure anything you type on a website is recorded to his malicious site.
Business Logic: takes advantage of how the site calls network resources using a JS function. A good example would be a function to change user information (like email). He would use this and insert his malicious email so that he can take over the account by resetting the password.
Types of XSS
Reflected: this a vulnerability that reflects user-supplied data (from an HTTP request) into the webpage source, without even validating the data.
Stored: the malicious code is stored in the web app, to be run by the next user(s) to visit the web page.
DOM Based: this vulnerability is where the malicious code is executed directly in the browser without any other changes made to the backend code or any other web page getting opened.
Blind XSS: you probably guessed this one right, but if you didn't, it is where an XSS payload is stored on the website, executed by another user, but sneaky will not get feedback on it. "Sneaky Blinders".
I'll leave you with a tip, look into XSS polyglots, I heard they can be good in parting XSS filters.
DISCLAIMER: I only write to people who hack for good. The Rest of you didn't get any of this from me.