# XSS

It's used to execute malicious JavaScript in a user’s web browser or steal users' JWT tokens, CSRF tokens, and cookies.

#### XSS types

1. Reflected
2. Stored
3. DOM-based

## <mark style="color:yellow;">Reflected XSS</mark>

Since our input is being reflected back without XSS protections we can easily execute malicious JavaScript code in users’ browsers if they visit this link.

We can test for RXSS if the GET parameter “error” is reflected in the user's web browser.

For example:

* an application that produces an error message when you type in the wrong username and password and the GET parameter “error” is reflected in the user's browser also

<figure><img src="https://1674729424-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyzdFWSUijzVYOP1hAsit%2Fuploads%2F5NrTmARy5nHRhMWmaKud%2Fimage.png?alt=media&#x26;token=e1dde500-676d-4025-a34e-d6137b6cf665" alt=""><figcaption><p>Possible XSS</p></figcaption></figure>

* If the application doesn’t protect against XSS we could insert malicious JS code

<figure><img src="https://1674729424-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyzdFWSUijzVYOP1hAsit%2Fuploads%2Fpi6xAq8yJ2hVzPrq3FqD%2Fimage.png?alt=media&#x26;token=dbf7bbf2-fc98-420a-b156-e5a187824ad3" alt=""><figcaption><p>XSS payload triggering</p></figcaption></figure>

## <mark style="color:yellow;">Stored XSS</mark>

stored XSS persistence in the application and usually occurs when an application takes user-supplied input and stores it in the backend database.

Normally, it happens with POST, PUT, UPDATE, and DELETE requests as they are used when making changes to a database.

For example:

<figure><img src="https://1674729424-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyzdFWSUijzVYOP1hAsit%2Fuploads%2FB7LLVnWJ1BT8DCaMPwQx%2Fimage.png?alt=media&#x26;token=99217fa8-fca7-4bba-9460-fb4b7e3d9761" alt=""><figcaption><p>XSS description</p></figcaption></figure>

* assume that the username you create is being stored in the backend database.
* If you were to put a malicious JavaScript payload as your username it would then be stored in the back-end database.
* If the application isn’t blocking XSS attacks whenever someone visits the members' list page, your username would be retrieved from the back-end database and your XSS payload would trigger.

#### Stored XSS via SVG file

Scalable Vector Graphics(SVG) is an XML-based vector image format for two-dimensional graphics with support for interactivity and animation, supports inline JS code, and also can be treated as images in HTML.

EX:

* an example of an SVG file with an alert message:

<figure><img src="https://1674729424-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyzdFWSUijzVYOP1hAsit%2Fuploads%2FBItPK6GqQSZGWwzmTERY%2Fimage.png?alt=media&#x26;token=ae4f4e8d-67cd-4dfc-90c9-29e9b8af6dcc" alt=""><figcaption></figcaption></figure>

* So you can place an SVG file in an image tag and it will be rendered

```html
<img src="test.svg" alt="Test" />
```

One easy way to test for this vulnerability is to upload an SVG file as your profile picture:

<figure><img src="https://1674729424-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyzdFWSUijzVYOP1hAsit%2Fuploads%2Flk61QkMV7QVNUBK47FFB%2Fimage.png?alt=media&#x26;token=5b3e7c78-9af3-47de-b702-61e37f9fba6b" alt=""><figcaption></figcaption></figure>

Once the image is uploaded, find out what path it was uploaded to by right-clicking the image and selecting “copy image address”, If everything worked when you view the image your payload will execute.

<figure><img src="https://1674729424-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyzdFWSUijzVYOP1hAsit%2Fuploads%2FedvjCfXZJZa4l2ZJE8PM%2Fimage.png?alt=media&#x26;token=0837ac33-0c86-4a04-9093-15591ece50c5" alt=""><figcaption><p>XSS payload triggering</p></figcaption></figure>

## <mark style="color:yellow;">DOM XSS</mark>

Document Object Model (DOM) based XSS

* occurs when an application takes user-supplied input and passes it to a JavaScript function and that uses the input to modify the DOM environment.
* This can occur via reflected or stored XSS and the payload is being executed via JS.

<figure><img src="https://1674729424-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyzdFWSUijzVYOP1hAsit%2Fuploads%2FEGB8pfueescBk9eBJz37%2Fimage.png?alt=media&#x26;token=6cb972bb-0c08-46b6-b34d-8c707433e7e4" alt=""><figcaption><p><strong>An example of DOM-based XSS</strong></p></figcaption></figure>