Reflected and Stored XSS




XSS attacks can be divided into two categories: Reflected XSS attacks and Stored XSS attacks.

Reflected attacks happen when the malicious code is sent to the target website and the XSS-infected page is returned immediately.

The example in the previous lesson was a Reflected attack.

For this type of attack to succeed, the attacker must trick the victim into clicking on a malicious link or into opening a malicious page (which can redirect the victim to the target website).


A Stored attack happens automatically when the victim opens a compromised website.

This kind of attack takes place in two stages:

  1. First, the attacker compromises the target website by injecting the XSS code into the website storage space (usually the database).
  2. Then, every time a user loads the page the XSS code is retrieved and executed.

This attack is possible in many contexts where the attacker is allowed to save some data, for example in forum posts or in blog comments.




Stored XSS example

Let's see an example of Stored XSS attack.

Suppose you have an online forum where users can add their signature. The signature is added automatically to each message the users post on the forum.

The signature is stored on the database, and it's retrieved and added to the HTML code like this:

Usually, a signature is a mix of text and images. But what if a malicious user adds something more?

For example, take a look at the following signature code:

If a malicious user sets its signature like that, every forum user will see the signature containing a fake image like this:

The JavaScript code embedded in the signature creates a link with the page's cookies, including the forum's Session ID.

When the users' browsers try to load the image following the link, the Session IDs are sent to the attacker's website.

Then, the attacker can save the IDs and use them to impersonate any user on the forum.


Lesson Key Point

STORED XSS ATTACKS TARGET ALL THE USERS OF THE COMPROMISED WEBSITE.




The attacker can inject any JavaScript code inside the signature and perform much more complex operations.

Moreover, because the code is executed by the victim user, all the operations are executed with the privileges of the victim user.

For example, the attacker can inject an AJAX-based request that:

  1. reads the user's private page on the website;
  2. gets its sensitive data like the email address and the phone number;
  3. finally sends everything to the attacker's site.


XSS attacks can also make the victim users perform disruptive operations, like deleting the users' posts on the forum.

So, how do you defend against these dangerous attacks?

Let’s find out in the next lesson.


Lesson takeaways

  • Stored XSS attacks target all the users of the compromised website.
  • An attacker can leverage an XSS vulnerability to obtain the users' private data.
  • XSS attacks can also force the victim users to perform disruptive operations.



Discussion

2 comments