Frontend Scrapbook

Notes that make a difference

XSS

By admin

on Sun Aug 16 2020

An injection attach that allows attacker to read data, or perform operations on user’s behalf.

There are 4 types of Cross-Site scripting attacks

Stored XSS – eg, some script being stored in database.

Reflected XSS – transient response ( a validation error for eg ) from the server causes script to execute.

DOM based – Passcode in via query params for example. No server involved.

Bind XSS – exploits vulnerability in another app ( say, a log reader ) that attacker don’t have access to under normal means.

Places to look for XSS attacks or Danger Zones

1. User-generated rich text ( WYSiWYG )

2. Embedded content ( flash, iframe )

3. Anywhere Users have control over a URL ( a css background image starts with javascript: )

4. Anywhere user input is reflected back

5. Query params into DOM.

6. element.innerHTML

XSS Defenses

Browsers have a single execution context that it can’t tell the difference between scripts downloaded from different domains.

CSP or Content Security Policy allows us to tell modern browsers which sources they should trust, and for what types of resources

This information comes via a HTTP response header directive or meta tag

Content-Security-Policy: script-src ‘self’ https://codeinjavascript.com

script-src is the directive name and self, https://codeinjavascript.com are sources

Can have multiple directives separated by semicolon. Like font-src: https://fonts.googleapis.com

child-src – child execution contexts, such as frames, workers

connect-src – what you can connect to ( fetch, WebSocket, EventSource )

form-action : where you can <form> submit to

img-src, media-src, object-src – where you get image, media, flash from

style-src : where external stylesheets can come from

upgrade-insecure-requests – upgrades http to https

default-src – fallback, for when specific directive isn’t provided

For sources, values it can take are ‘none’,’self’,’unsafe-inline’, ‘unsafe-eval’

For allowing some inline jaavscript we could add a nonce attribute to script tag and have the csp script-src include that nonce

script-src ‘nonce-rjfjrishahrE9’ , but this needs to be generated every pageload

Another way is to add a checksum ( sha256-38cjdj67839 ) which we can get once we enable csp and console throws error. We could then add that as sha checksum to csp

Images, PDF etc are also vectors of XSS attacks.