XsS Back Button - I Can See You From Behind

Summary :

While the goal of an XSS attack is always to execute malicious JavaScript in the victim’s browser, there are few fundamentally different ways of achieving that goal.

Reflected XSS is harnessed by attaching the malicious script to the end of a URL/Link. Though it may be obvious to see code on the end of a URL, techniques of hiding it are possible. Also with the service of link shortening services this can be very deadly.

In a reflected XSS attack, the malicious string is part of the victim’s request to the website. The website then includes this malicious string in the response sent back to the user.

Basic Diagram :

How it works

In my case when I entered the payload it was sanitized at that point of time but when I clicked on back button XSS executed.

How did this happen ?

When I clicked on the back button the JavaScript code used the previous URL to go back to the previous page in which I entered the payload (URL parameter). So in this situation when I clicked on the back button my payload was executed.

How to find this vulnerability ?

1. Go to your target URL https://www.website.com/ and use Burp Suite (Spider the website) to find parameters or search boxes
2. In my case I got a search box so I entered a very old payload ”><svg/onload=alert(333)> which is obsolete but still works

Payload

3. When I pressed enter my payload got sanitized

Source Code Sanitized

4. Then I pressed the back button and payload got executed

Source Code 2

I don’t know why it showed alert(1) in the source code and got executed as alert(333).

Mitigation :

Preventing cross-site scripting is trivial in some cases but can be much harder depending on the complexity of the application and the ways it handles user-controllable data.

In general, effectively preventing XSS vulnerabilities is likely to involve a combination of the following measures:

• Filter input on arrival - At the point where user input is received, filter as strictly as possible based on what is expected or valid input.
• Encode data on output - At the point where user-controllable data is output in HTTP responses, encode the output to prevent it from being interpreted as active content. Depending on the output context, this might require applying combinations of HTML, URL, JavaScript, and CSS encoding.
• Use appropriate response headers - To prevent XSS in HTTP responses that aren’t intended to contain any HTML or JavaScript, you can use the Content-Type and X-Content-Type-Options headers to ensure that browsers interpret the responses in the way you intend.
• Content Security Policy - As a last line of defense, you can use Content Security Policy (CSP) to reduce the severity of any XSS vulnerabilities that still occur.

Thank You :)

Instagram : jerry._.3

Summary Courtesy : Ramya Shah Sir (Gujarat Forensics Sciences University)

Happy Hacking ;)