Introduction to XSS

Cross-Site Scripting (XSS) is a security vulnerability in web applications that allows attackers to inject malicious scripts into pages viewed by other users. This can result in cookie theft, session manipulation, and other attacks that compromise both user security and application integrity.

Types of XSS

• Reflected: The malicious code is reflected directly from the user's input, such as in a search field.
• Stored: The code is stored on the server (e.g., in a database) and displayed to users on subsequent visits.
• DOM-Based: The malicious code modifies the DOM environment in the user's browser without going through the server.

Reflection Check Strategy before XSS Payloads

Method

1. Send a single request with the value "TOKEN1337": First, send an HTTP request where one of the parameters (e.g., "text") contains a specific and easily identifiable value, such as "TOKEN1337". This is to check if the user input is reflected in the server's response.

   GET /search?text=TOKEN1337 HTTP/1.1
   Host: example.com

2. Check if "TOKEN1337" is reflected in the response with Content-Type "text/html": Analyze the server's response to see if the value "TOKEN1337" appears on the webpage. Additionally, verify that the `Content-Type` of the response is "text/html", indicating that the content returned is HTML.

   HTTP/1.1 200 OK
   Content-Type: text/html
   ...
   <html>
   <body>
       <p>Search results for: TOKEN1337</p>
   </body>
   </html>

3. If "TOKEN1337" is reflected in the response: This indicates that the user input is reflected in the page, making the page susceptible to XSS. In this case, proceed to test with your 20 XSS payloads.
4. Conditional Payload Testing: If the token "TOKEN1337" is reflected, send the XSS payloads one by one. If a payload is reflected and successful, stop sending more payloads, as one success is sufficient to confirm the vulnerability.

Advantages

• Fewer Requests:
  • Efficient Strategy: Only make a maximum of 21 requests per parameter if "TOKEN1337" is reflected (1 to verify reflection and up to 20 to test XSS payloads, stopping at the first success).
  • Resource Saving: This strategy minimizes the number of requests sent, reducing the load on the server.
• Performance Efficiency:
  • Reduced Server Load: By sending fewer requests, you reduce server resource consumption, which can prevent rate limiting or IP blocking due to suspicious behavior.
  • Fewer Interruptions: Less likely to trigger server defense systems (like WAFs) that detect and block your traffic.
• Effectiveness:
  • Intelligent Detection: By first identifying if the input is reflected, you can decide not to waste resources testing XSS payloads if there is no evidence of reflection, indicating a lower likelihood of XSS vulnerability.
  • Optimized Testing: This allows focusing testing efforts only on parameters that are more likely to be vulnerable.

Example Workflow

1. Send a request with "TOKEN1337" in the "text" parameter.
2. Check if "TOKEN1337" is reflected in the response with `Content-Type: text/html`.
3. If reflected, send XSS payloads one by one until finding a successful one or completing the 20 payloads.

Exhaustive Testing Strategy with 20 XSS Payloads

Method

1. Send 20 requests with different XSS payloads directly in each parameter: Instead of a preliminary check, directly send 20 requests with different XSS payloads in each parameter to see if any of them execute.

   GET /search?text=<script>alert('XSS1')</script> HTTP/1.1
   Host: example.com
   ...
   GET /search?text=<svg/oNLoAd=alert('XSS')> HTTP/1.1
   Host: example.com
   ...

Disadvantages

• Higher Number of Requests:
  • Inefficient Strategy: You perform 20 requests per parameter, regardless of whether it is vulnerable, resulting in a total of 60 requests for the three parameters.
  • Server Load: This can cause server overload, increasing the possibility of being detected and blocked.
• Inefficient Use of Resources:
  • Bandwidth Consumption: More bandwidth and server resources are used without a preliminary check to see if there is a possible vulnerability.
  • Resource Waste: Many of these requests may be unnecessary if the parameter is not reflected in the response.
• Potential False Negatives:
  • Basic Defenses: If the application has some form of basic defense that does not encode all inputs but encodes dangerous inputs, you may get false negatives.
  • Incomplete Detection: This can result in incomplete detection of potential vulnerabilities.
• Potential Security and Performance Issues:
  • Blocking and Restrictions: Sending many requests with potentially dangerous payloads could result in being blocked or restricted due to suspicious or malicious activities.
  • Service Interruption: You could cause service interruptions due to server overload.

Additional Optimizations:

Distributing Traffic to Avoid WAF Blocks

To avoid being blocked by protection systems like Web Application Firewalls (WAF), it is useful to distribute test traffic across different servers with different IP addresses. This can be done in the following ways:

• Using Rotating Proxies: Configure rotating proxies to change the source IP with each request.
• Load Balancing: Use load balancers to distribute requests among multiple servers.
• Setting Up Multiple IPs: Run tests from multiple servers located in different networks or regions.

Advantages

• Avoid Blocking: Reduces the likelihood that a WAF will detect and block requests based on the behavior of a single IP.
• Improved Discretion: Makes tests less detectable as malicious behavior, simulating normal traffic from multiple users.
• Load Distribution: Reduces load on a single server by distributing work among multiple origin points.

Encoding Techniques:

Other strategies can be used to optimize the detection of reflected values and subsequent XSS payloads:

• URL Encoding: Encode "TOKEN1337" as "%54%4F%4B%45%4E%31%33%33%37". If the server response reflects "TOKEN1337" in clear text, proceed with URL-encoded XSS payloads.
• Double URL Encoding: Encode "TOKEN1337" as "%2534%254F%254B%2545%254E%2531%2533%2533%2537". If reflected, test with double URL-encoded payloads.
• Base64 Encoding: Encode "TOKEN1337" in Base64 as "VE9LRU4xMzM3". If the server reflects this value in clear text, proceed with Base64-encoded payloads.

JavaScript Injection in a Script Context

Often, we focus on finding XSS by sending a JavaScript payload and checking if it is reflected in the response. However, it's also possible to inject the JavaScript code directly without the <script> tags and look for reflections within existing <script> tags. If the input is reflected within a <script> tag and allows for escaping the original code using ", ', or other characters, you could inject JavaScript code without needing <script> tags. For example, using '-alert('XSS')-'.

Example Request and Response

POST /submit-comment HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 58

username=johndoe&comment='-alert('XSS')-'&submit=Post+Comment

Response:

HTTP/1.1 200 OK
Content-Type: text/html
...
<html>
<head>
    <script>
        var userComment = "-alert('XSS')-";
        // Some other script code
    </script>
</head>
<body>
    ...
</body>
</html>

In this example, the input '-alert('XSS')-' is reflected within a <script> tag. This reflection allows an attacker to escape the original script context and execute arbitrary JavaScript code.

Conclusion

Testing first with a test value like "TOKEN1337" to see if it is reflected is a more efficient and effective strategy. It reduces the number of necessary requests, saves resources, and improves the chances of finding relevant vulnerabilities without unnecessarily alerting or overloading the server infrastructure. Additionally, distributing traffic across different servers can prevent WAF blocks and improve the discretion of tests. Using encoding techniques such as URL encoding, Base64 encoding, and HTML encoding can further optimize the detection process. Lastly, checking for JavaScript reflections within existing <script> tags without the need for <script> tags in the payload can be an effective method to uncover hidden XSS vulnerabilities. This technique is an intelligent way to conduct penetration testing, especially in real environments where efficiency and discretion are crucial.