• What - User content is rendered as HTML

• How - The server unsafely puts user content into the response body of a request. The browser interprets the payload as if it was legitimate HTML

Reflected XSS

The payload is part of user input
(i.e. URL bar, inside a cookie, etc)

Demo: Reflected XSS

website.com/?q=<img onerror="alert('pwned!')" src="http://google.com">

Stored XSS

The payload is stored in some sort of database.

Arguably more dangerous… Anyone who opens a page that returns content from that same database may be victim to a stored XSS attack

• Twitter Hack

Demo: Stored XSS

DOM-based XSS

The client pieces together data which eventually becomes an exploit itself.

i.e. document.write(...)

• Validation - Blacklisting / whitelisting of input
• Sanitisation - Remove unsafe tags and attributes
• Encode - Escape data so it’s not a control character

Defense

Don’t use .innerHTML or .outerHTML

use .innerText or .textContent

Demo: DOM XSS

JS Frameworks

X-XSS-Protection header

Turn it off, it’s broken 🔥 🌊🚒

✅ X-XSS-Protection: 0

• Sometimes causes client-side errors on real code
• Has its own vulnerabilities

"Firefox never supported X-XSS-Protection and Chrome and Edge have announced they are dropping have dropped support for it.“

Only allow scripts / images / styles / … from ____

it kinda OP.

• block eval(), inline scripts, iframes
• whitelist by scheme, domain, path, …
• nonce
• checksum
• reporting
• …

Implementation

• Define CSP inside HTTP headers, ortags
• Meta tags have a lesser CSP capability
  • (in case you can override meta tags)
  • But still has its flaws…

Exploits

• Exploiting trust
  • Redirected
  • Code Execution
  • Inheritance
• Invalidating restrictions
  • Corrupt the CSP header
  • Response splitting