So, on that note, use the example to determine if a Cross Site Scripting vulnerability exists, but when reporting, think through how the vulnerability could impact the site and explain that. By that, I don’t mean tell the company what Cross Site Scripting is, but explain what you could achieve with this that directly impacts their site.
Part of that should include identifying which kind of Cross SIte Scripting you are reporting, as there’s more than one:
- Reflective XSS: These attacks are not persisted, meaning the XSS is delivered and executed via a single request and response.
- Stored XSS: These attacks are persisted, or saved, and then executed when a page is loaded to unsuspecting users.
- Self XSS: These attacks are also not persisted and are usually used as part of tricking a person into running the XSS themselves.
When you are searching for vulnerabilities, you will often find that companies are not concerned with Self XSS, they only care when their users could be impacted through no fault of their own as is the case with Reflective and Stored XSS. However, that doesn’t mean you should totally disregard Self XSS.
If you do find a situation where Self XSS can be executed but not stored, you need to think about how that vulnerability could be exploited, is there something you could combine it with so it is no longer a Self XSS?
While Samy’s exploitation wasn’t overly malicious, XSS exploits make it possible to steal usernames, passwords, banking information, etc. Despite the potential implications, fixing XSS vulnerabilities is often easy, only requiring software developers to escape user input (just like HTML injection) when rendering it. Though, some sites also strip potential malicious characters when an attacker submits them.
POC : –
Report Link: https://hackerone.com/reports/106293
Date Reported: December 21, 2015
Bounty Paid: $500
When searching for XSS vulnerabilities, here are some things to remember:
- Test Everything
Regardless of what site you’re looking at and when, always keep hacking! Don’t ever think that a site is too big or too complex to be vulnerable. Opportunities may be staring you in the face asking for a test like wholesale.shopify.com. The stored Google Tagmanager XSS was a result of finding an alternative way to add tags to a site.
- Vulnerabilities can exist on any form value
For example, the vulnerability on Shopify’s giftcard site was made possible by exploiting the name field associated with an image upload, not the actual file field itself.
- Always use an HTML proxy when testing
- XSS Vulnerabilities occur at the time of rendering
filtering input vs escaping output. If its the former, look for ways to bypass the input filter as developers may have gotten lazy and aren’t escaping the rendered input.
- Test unexpected values
Checkout the Cheat-Sheet at OWASP XSS Filter Evasion Cheat-sheet.