Exploiting Clients Using XSS and CSRF Flaws
DOM is logical structure that defines the attributes and the ways in which the objects(text,images,headers,or links)in a web page are represented. It also defines rules to manipulate them.
The alert method is often used for demonstration purpose and to test if the application is vulnerable.
major categories of XSS:
- Persistent XSS(sored XSS)
- Reflected XSS(nonpersistent XSS)
- DOM XSS
Defence against DOM-based XSS:
One og the key defence methods is to avoid building the HTML page using client-side data.
document.write(): document.write('City name='+userinput);
eval; var UserInpu"'Mumbai';alert(x);"; eval("document.forms."+"Cityname="+txtUserInput);
Can encode the user input before using it in the client side code.Using string delimiters and wrapping the user data into a custom function.
- Account hijacking
- Altering contents
- Defacing complete website
- Running a port scan from the victim’s machine
- Log key strokes
- Stealing browsr information
Scanning for XSS flaws
- OWASP Zed Attack proxy
Cross-site request forgery
Changing user details such as e-mail address and date of birth in a web application.
Making fraudulent banking transactions
Fraudulent upvoting and downvoting on websites
Adding items in the cart without the user’s knowledge on an e-commerce website
- the victim must have an active authenticated session against the target web application.The application should also allow transactions within a session without asking for reauthentication.
- CSRF is a blind attack and the response from the target web application is not sent to the attacker but the victim.The attacker must have knowledge about the parameters on the website that would trigger the intended action.
- The attacker needs to find a way to trick the user to click on a preconstructed URL or to visit an attacker controlled website if the target application is using the POST method .
- Image tag
- script tag
- using the POSt method
The best way to analyze the application for CSRF flaw is to first gain complete understanding on the functionality of the web application.Fire up a proxy such as Burp or ZAP,and capture traffic to analyze the request and the response.