on Sun Aug 16 2020
An injection attach that allows attacker to read data, or perform operations on user’s behalf.
There are 4 types of Cross-Site scripting attacks
Stored XSS – eg, some script being stored in database.
Reflected XSS – transient response ( a validation error for eg ) from the server causes script to execute.
DOM based – Passcode in via query params for example. No server involved.
Bind XSS – exploits vulnerability in another app ( say, a log reader ) that attacker don’t have access to under normal means.
Places to look for XSS attacks or Danger Zones
1. User-generated rich text ( WYSiWYG )
2. Embedded content ( flash, iframe )
4. Anywhere user input is reflected back
5. Query params into DOM.
Browsers have a single execution context that it can’t tell the difference between scripts downloaded from different domains.
CSP or Content Security Policy allows us to tell modern browsers which sources they should trust, and for what types of resources
This information comes via a HTTP response header directive or meta tag
Can have multiple directives separated by semicolon. Like font-src: https://fonts.googleapis.com
child-src – child execution contexts, such as frames, workers
connect-src – what you can connect to ( fetch, WebSocket, EventSource )
form-action : where you can <form> submit to
img-src, media-src, object-src – where you get image, media, flash from
style-src : where external stylesheets can come from
upgrade-insecure-requests – upgrades http to https
default-src – fallback, for when specific directive isn’t provided
For sources, values it can take are ‘none’,’self’,’unsafe-inline’, ‘unsafe-eval’
For allowing some inline jaavscript we could add a nonce attribute to script tag and have the csp script-src include that nonce
script-src ‘nonce-rjfjrishahrE9’ , but this needs to be generated every pageload
Another way is to add a checksum ( sha256-38cjdj67839 ) which we can get once we enable csp and console throws error. We could then add that as sha checksum to csp
Images, PDF etc are also vectors of XSS attacks.