Chapter 20 Key Takeaways: Cross-Site Scripting and Client-Side Attacks
Core Concepts
-
XSS turns the browser into a weapon. Unlike injection attacks that target the server, XSS makes the victim's own browser execute attacker-controlled code in the security context of a trusted website. The Same-Origin Policy---the browser's fundamental security mechanism---is rendered irrelevant because the injected code is same-origin with the target.
-
Three types require three testing approaches. Reflected XSS requires crafted URLs and parameter testing. Stored XSS requires testing all persistent input fields and examining where stored data is rendered. DOM-based XSS requires JavaScript source code analysis to trace data flow from sources to sinks. Automated scanners often miss DOM XSS.
-
XSS impact extends far beyond
alert(1). Session hijacking, keylogging, phishing, account takeover, data exfiltration, cryptocurrency mining, and self-propagating worms are all achievable through XSS. When demonstrating XSS to clients, show realistic impact, not just proof-of-concept pop-ups. -
Content Security Policy is the strongest browser-side defense. A properly configured CSP with nonce-based script-src can prevent XSS exploitation even when the application has injection vulnerabilities. However,
unsafe-inlinenegates this protection. Always check CSP during testing. -
CSRF exploits the browser's trust model. Browsers automatically attach cookies to requests, meaning any website can trigger authenticated actions if CSRF defenses are absent. SameSite cookies are the modern primary defense, supplemented by CSRF tokens and custom headers.
-
Clickjacking uses transparency to deceive. An invisible iframe overlaying a decoy page tricks users into performing actions they did not intend. The frame-ancestors CSP directive and X-Frame-Options header are the defenses.
-
Client-side supply chain attacks (Magecart) represent an evolving threat. Compromising a single JavaScript file can capture payment data from every user. SRI, CSP, and script integrity monitoring are essential defenses for any application handling sensitive data.
Practical Skills Acquired
- Identifying XSS reflection contexts and selecting context-appropriate payloads
- Bypassing XSS filters using alternative tags, event handlers, and encoding
- Exploiting XSS for session hijacking, keylogging, and data exfiltration
- Analyzing and bypassing Content Security Policy configurations
- Constructing CSRF proof-of-concept attacks and testing CSRF defenses
- Building clickjacking demonstrations and verifying frame protection
- Using BeEF for persistent browser exploitation in authorized tests
- Implementing comprehensive client-side defense layers
Defense Summary
| Attack | Primary Defense | Secondary Defense |
|---|---|---|
| Reflected XSS | Output encoding | CSP, input validation |
| Stored XSS | HTML sanitization (DOMPurify) | CSP, output encoding |
| DOM XSS | Safe DOM APIs (textContent) | CSP, source code review |
| CSRF | SameSite cookies | CSRF tokens, custom headers |
| Clickjacking | frame-ancestors CSP | X-Frame-Options |
| Cookie theft | HttpOnly cookies | CSP |
| Magecart | SRI, CSP | Script integrity monitoring |
Connections to Other Chapters
- Chapter 18: HTTP header analysis (security headers, cookie flags) directly informs XSS and CSRF testing. Burp Suite workflows established in Chapter 18 are the primary tools for XSS discovery.
- Chapter 19: Injection and XSS share the same root cause (mixing data with code) but target different interpreters (server vs. browser). Defense principles (validation, encoding, safe APIs) apply to both.
- Subsequent chapters: Authentication attacks often chain with XSS (stealing tokens). File upload vulnerabilities may enable stored XSS via SVG files. API security testing applies XSS concepts to JSON endpoints.