Root-Me BlogDocumentation - Reflected XSS
Cross Site Scripting, or XSS, is the most present vulnerability on the web, by far. It is referred to by many names, among which “Golden Book vulnerability”, simply because these have allowed a generalization of these vulnerabilities. The XSS flaw is characterized by a possible injection of arbitrary code into the HTML code that will be rendered to the browser. In other words, the attacker will be able to modify an aspect of the site or to inject scripts in what the victim will then see on the screen.
Prerequisites
To understand the whole article, you will need:
- Know HTML
- Know the basics of PHP and Javascript
- Know what an XSS is
Introduction
There are several types of XSS vulnerabilities:
Reflected XSS vulnerabilities result from the use of user-supplied data in a script of some kind, without modifying it. Typically, an online simulation or a statistics page. Thus, if this data is not modified, one can add “script within a script” which will itself be executed.
That said, by modifying the data that needs to be processed, the result of the XSS will only modify the page that the user can view. This may seem benign, but it is much less so when the attacker uses Social Engineering and spreads trapped pages in this way. This kind of vulnerability is often used to launch spam campaigns in order to tarnish the image of a site (redirects, appearance changes) or to steal information (phishing).
Definition
A Reflected XSS is a type of XSS where the user input is in a parameter of the URL and that parameter is displayed on the page.
Explanation of the vulnerability
Let’s take as an example a page of a site that displays the results of the user’s search.
Here is the PHP code of the vulnerable page :
<cadre class="php">
<form action method="get">
<input type="text" name="search" id="search">
<input type="submit" value="Search">
</form>
<?php
if(isset($_GET['search'])) {
echo 'Search results "' . $_GET['search'] . '"';
}
?>
The interesting part in this code, is the echo function, which displays the content of the search without filters. So this allows us to enter tags that will be sent to the browser without filters, and the browser will interpret them as any other HTML tag on the page.
For example if we try to send <b>hello</b> in the search field, it will render on the page: hello
The echo function pasted the unfiltered HTML tags into the page, and the browser interpreted these b tags.
You’re probably wondering why it’s dangerous for a user to send a message in bold, well that’s because if echo interprets b tags, it will also interpret script tags.
Exploitation
Now that we have the ability to interpret our tags, we can move on to exploitation. By entering <script>alert()</script> at the time of loading the page the script will be executed, and the alert will be displayed. From the moment we can execute JavaScript we can for example retrieve cookies from other users.