Cross-Site Scripting (XSS)

Fillestar 16 min Siguria e Aplikacioneve Web

Hyrje

Cross-Site Scripting is a class of vulnerabilities where untrusted data ends up as executable code in another user's browser.

Teoria

There are three main flavors. Reflected XSS occurs when user input is immediately echoed back in a response without encoding — for example, a search page that renders ?q= directly into the HTML. Stored XSS is worse: the malicious payload is saved on the server (in a comment, profile field or message) and executed in every viewer's browser. DOM-based XSS happens entirely client-side when JavaScript reads user-controlled input and writes it to the DOM without sanitization. A successful XSS payload runs with the full privileges of the victim's session. It can read cookies (if they lack the HttpOnly flag), exfiltrate data, perform actions as the user, install a keylogger, or pivot to other parts of the application. In modern single-page apps the impact is often full account takeover because session tokens and state are held in memory. Defenses are layered: context-aware output encoding (HTML, attribute, JavaScript, URL), Content Security Policy (CSP) with a nonce on trusted scripts, HttpOnly cookies, and strict framework templating such as Angular and React that auto-escape interpolated values. The most common mistake is using a sanitization library as a blacklist; the right approach is to encode on output based on where the data will be rendered.

Mjetet

Mjete për XSS:

  • Burp Suite + XSS Validator.
  • XSStrike, DalFox — CLI scanners.
  • BeEF (Browser Exploitation Framework) — për PoC të avancuar.

Praktika

Reflected XSS (i cenueshëm):

<?php echo "Hello " . $_GET['name']; ?>

I sigurt:

<?php echo htmlspecialchars($_GET['name'], ENT_QUOTES, 'UTF-8'); ?>

CSP minimal që bllokon XSS:

Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-abc123'; object-src 'none'; base-uri 'self'

Payload klasik për testim në laborator:

"><script>alert(document.domain)</script>
<img src=x
javascript:alert(1)

Ushtrime

  1. Gjej dhe shfrytëzo një Stored XSS në DVWA.
  2. Shkruaj një CSP që lejon Google Fonts por bllokon inline scripts.
  3. Shpjego pse htmlspecialchars() nuk është i mjaftueshëm brenda atributit href.

Burime

  • OWASP XSS Prevention Cheat Sheet.
  • PortSwigger XSS Academy.
  • Google — CSP Evaluator.

Vlerësimet dhe komentet

Kyçu për të lënë një vlerësim.

Ende pa komente. Bëhu i pari!

Diskutime

Ende pa diskutime. Hap një temë të re