KLEAP Institute of Information Security

Xross Site
Scripting
By- KIIS
What is Cross Site Scripting
Cross-site scripting is a type of attack in which malicious scripts are injected into websites and
web applications for the purpose of running on the client side or end user's device.

The XSS has a wide range of effects

It includes user session hijacking, malicious redirects can result in the revelation of
sensitive data, CSRF attacks and other security flaws.
Types of Cross-site Scripting

•Reflected XSS

•Stored XSS

•DOM-Based XSS

•Blind XSS
Reflected XSS
•Reflected cross-site scripting (or XSS) occurs when an application receives data in an HTTP request
and includes that data in an unsafe manner within the immediate response.
How to find Reflected XSS
Reflected XSS are found in the parameters or anything which can take your input. So that
you can use that input point as an injection point.
Stored XSS

Stored XSS is possible only when the application is designed to store user input. The attacker
would inject the code through requests to the application
How to find stored XSS

The first thing you must realise is that we require an input point that will store our data in the
database.
DOM-Based XSS
DOM-based XSS vulnerabilities are a type of Cross-site Scripting (XSS) vulnerabilities. A DOM-
based XSS attack is possible if the web application writes data to the Document Object Model
(DOM) without proper sanitization. The attacker can manipulate this data to include, malicious
JavaScript code.
Blind XSS

•Blind XSS vulnerabilities are is same as Stored XSS. They occur when the attacker input is
saved by the web server and executed as a malicious script in another part of the application or
in another application.
How to find blind XSS

This XSS is similar to Stored XSS, but you won't get popups right away.

This is dependent on when the administrator or developer visits that page on the server-side, and you will receive an
email alert.
Automation Tools To find XSS

•Param spider:- https://github.com/devanshbatham/ParamSpider

python3 paramspider.py –domain example.com -o xssParams.txt

•
•GAUPLUS:- https://github.com/bp0lr/gauplus
cat target.txt | gauplus -o urls3.txt

•
•Google dorks:- https://www.boxpiper.com/posts/google-dork-list
•Arjun params:- https://github.com/s0md3v/Arjun
arjun -i TargetURLs.txt -t 100 --passive -oT arjun_params.txt

•GF tool:- https://github.com/tomnomnom/gf

cat paramlist.txt | gf xss > xss.txt

•Nuclei :- https://github.com/projectdiscovery/nuclei
nuclei -u http://example.com/param?id=1 -tags xss

•Dalfox :- https://github.com/hahwul/dalfox
dalfox url [url]
Dirsearch :
Dirsearch tool is an advanced command-line tool designed to brute-force directories and files in web

servers or web path scanners.it can show Sesnsitive directory or file disclosure .

Link: https://github.com/maurosoria/dirsearch
Burp scan:
Burp Scanner uses PortSwigger's world-leading research to help its users find a wide range

of vulnerabilities in web applications, automatically .

What is JavaScript Source and JavaScript Sink

Source as the name denotes is something which is responsible for accepting some input. Likewise in
JavaScript, a Source is an object properties like document.location, document.referrer, window.name
and even the parameters of the URL which accepts user input. You can think a source like an input
parameter which accepts some input from the user. This source can be present in any HTML form, or
any URL of the web page.

Sink is the reflection point that eventually executes the malicious JavaScript injected through the
source. You can think a sink like an output (just to remember) which is given by print, echo commands
(in php). They are some JavaScript functions or location which execute the code entered from the
source.
HTML DOM
An HTML DOM is the skeletal structure where all the HTML tags (called elements here) including
JavaScript code of an HTML document are arranged in hierarchical order which is called a Document
Object Model. Example of HTML DOM is shown in the below screenshot.