Stored Cross Site Scripting (XSS)

Share on :

Stored XSS and also knows as Persistent XSS is a cross-site scripting attack that involves storing the attack vector improperly (without sufficient filtering) in database and later the app delivers the attack vector to victims that will visit the exploited page

Impact

High

Example of Vulnerable code (DVWA):

<?php

if( isset( $_POST[ 'btnSign' ] ) ) {
    // Get input
    $message = trim( $_POST[ 'mtxMessage' ] );
    $name    = trim( $_POST[ 'txtName' ] );

    // Sanitize message input
    $message = stripslashes( $message );
    $message = mysql_real_escape_string( $message );

    // Sanitize name input
    $message = stripslashes( $message );
    $name = mysql_real_escape_string( $name );

    // Update database
    $query  = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";
    $result = mysql_query( $query ) or die( '<pre>' . mysql_error() . '</pre>' );

    //mysql_close();
}

Normal Request

POST /dvwa/vulnerabilities/xss_s/ HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0

txtName=John+Doe&mtxMessage=This+is+a+normal+message+&btnSign=Sign+Guestbook

Normal Reply

HTTP/1.1 200 OK
Date: Mon, 09 Jul 2018 14:03:09 GMT
Server: Apache/2
X-Powered-By: PHP/5.6.23

<div id="guestbook_comments">Name: John Doe<br />Message: This is a normal message<br /></div>

In the previous code , it shows how the web app deals with user data before storing it into mysql database , it didn't filter the code from special characters that can cause XSS attack when its delivered to the user without proper filters for example in this case <, >

so an attacker can now exploit this mistake as below:

  1. go to vulnerable page and post the following data:
    Name : Any desired name
    Message : <script> ... Evil code ... </script>

Result

Malicious Request

POST /dvwa/vulnerabilities/xss_s/ HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0

txtName=Evil_Guy&mtxMessage=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&btnSign=Sign+Guestbook
  1. when a victim check the vulnerable page which contain the malicious script , the code will execute at his browser

Malicious Reply

HTTP/1.1 200 OK
Date: Mon, 09 Jul 2018 14:03:09 GMT
Server: Apache/2
X-Powered-By: PHP/5.6.23

<div id="guestbook_comments">Name: Evil_Guy<br />Message: <script> alert(1) </script> <br /></div>

Result

Mitigation:

Fixed code:

as mentioned in (Mitigations)(mitigations.md) we have used the htmlspecialchars() method to escape our input correctly

<?php

if( isset( $_POST[ 'btnSign' ] ) ) {
    // Get input
    $message = trim( $_POST[ 'mtxMessage' ] );
    $name    = trim( $_POST[ 'txtName' ] );

        // Sanitize message input
        $message = stripslashes( $message );
        $message = mysql_real_escape_string( $message );
        $message = htmlspecialchars( $message );

        // Sanitize name input
        $message = stripslashes( $message );
        $name = mysql_real_escape_string( $name );
        $name = htmlspecialchars( $name );

    // Update database
    $query  = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";
    $result = mysql_query( $query ) or die( '<pre>' . mysql_error() . '</pre>' );

    //mysql_close();
}

Example of Stored XSS Attacks locations:

Social network:

  1. Posts
  2. Comments
  3. User to user messages
  4. User profile (eg. Bio, Address, Job)

Shopping platform:

  1. User review
  2. Product title, description
  3. User/Vendor profile