Forem: Muhammed Batuhan Aydın

Understanding the nature of XSS

Muhammed Batuhan Aydın — Thu, 06 Apr 2023 19:33:50 +0000

Notes from the Author: I design Cover Images disgusting. Yes I have no soul

For some reason, the first thing that comes to my mind when I say my vulnerability is XSS. Maybe it's because it's a security vulnerability that I first learned about, or because XSS is like a puzzle. I am writing this article because there is a very strange situation that I noticed among my fellow software developers. XSS is not taken seriously for a reason I don't know, or it is not given enough attention when it is taken seriously. I'm going to tell you a little bit of XSS technically today, but the first thing I'm going to do is talk about the nature of XSS.

Wilderness Cross-site Scripting (XSS)

In nature, XSS arises for very simple reasons. Sometimes a little filtering is skipped, sometimes too lazy to do it, sometimes it results from the fact that XSS checked in one step is not checked in another. What's wrong with XSS is that it goes undetected until the vulnerability is exploited. When it is realized, it is too late for everything, as we Turks say, "The one who took the horse passed Üsküdar".

XSS Types

Now let's get into some technical details and talk about XSS types and which type changes what.

Stored XSS

Stored XSS is when an attacker stores their malicious code in the target web application and then uses it to show it to other users.

A Stored XSS attack typically targets a form field such as a comment or message box on a forum, blog, or e-commerce site. The attacker writes malicious code to these domains and submits it. These codes are saved in the target web application's database and run when subsequent users view the page. This could include any JavaScript code that the attacker could run on any web page, so the attacker could infect users, steal their session information, or alter the page content.

For example, an attacker could target users by commenting on a forum. A window can be opened in the target users' browser by typing the following codes in the comment box:

<script>alert('Hello My name is Stored XSS')</script>

Of course, this attack script will not work in any of the modern web applications. There is a classic situation that I see in everyone who is just starting out. They may look for a magic wand about which attack script is more effective and working, or they may use some tools to discover these vulnerabilities. My advice is not to use tools. These automated tools do not improve or move you forward. Manually generate your attack codes one by one by intelligently examining your attack point. This may be difficult at first, but as you understand XSS, you will start to really enjoy it.

Lets continue. When you manage to run the script I gave above or similar, a warning window will appear on the screen saying "Hello My name is Stored XSS". Congratulations if this script is being saved on the website you have discovered your first Stored XSS.

Reflected XSS

Reflected XSS (Cross-Site Scripting) is a web vulnerability that is exploited by triggering insecure user input stored on a page on the target website, via a specially crafted link or form that an attacker sends to a website.

This type of XSS attack is performed on the search results page of user-supplied input, such as injecting a JavaScript code into a search box on the target website. The attacker sends a specially crafted link or form to the target website, and these entries are displayed on a page on the target website. While the user is viewing this page, the JavaScript code is automatically executed and performs a malicious action.

For example, an attacker could perform a Reflected XSS attack by submitting an entry like the following to a search box on the target website:

https://batuhanaydn.com/search?q=<script>alert("Reflected XSS");</script>

This entry will be displayed on the search results page and the JavaScript code will automatically run, thus displaying a malicious message to the user.

DOM XSS

DOM (Document Object Model) XSS is one of the vulnerabilities in web applications and is a subset of Cross-Site Scripting (XSS) attack. DOM XSS sends specially crafted input to the attacker's target website, causing JavaScript code to run on the page viewed by the user.

DOM XSS is similar to Reflected XSS but relies on a different mechanism. Reflected XSS attacks are performed because user inputs are displayed directly on the website, while DOM XSS attacks are performed by modifying the JavaScript code in the target website on the DOM tree.

A DOM tree is the structural representation of an HTML document and includes all elements (for example, tags, text, images, etc.) on the web page. The JavaScript code in the web page can access the DOM tree and modify or manipulate these elements. Using this feature, attackers perform DOM XSS attacks to modify the JavaScript code on the target website.

For example, an attacker might submit an entry like the following to a form field on the target website:

<input type="text" id="input">
<button onclick="updateText()">Update Text</button>

<script>
function updateText() {
  var input = document.getElementById("input").value;
  document.getElementById("output").innerHTML = input;
}
</script>

This code will take the text the user entered and update the content of an HTML element named "output". However, if the attacker sends the following code as input:

"><script>alert("XSS");</script>

This entry will cause a DOM XSS vulnerability on the target website because it does not properly close the JavaScript code. Thus, by controlling the user's input, the attacker can modify the JavaScript code on the target website and perform a malicious operation.

XSSi (Cross-Site Script Inclusion)

Yes, let's come to XSSi, which is one of the most fun and effective security holes in my opinion, which some people have never heard of and some of us are not very familiar with.

XSSI can allow attackers to use JavaScript files (usually in JSON data) from the target website to run malicious JavaScript code in the browsers of target website users.

XSSI attacks target requests to a JSON service on the target website. This service is generally used to facilitate data interaction in the web application. The target website sends JSON data to clients while allowing JavaScript codes on that data to be run. Therefore, attackers can send a specially crafted request to the target website's JSON service, using JavaScript codes from the target website to cause malicious code to run in the target users' browsers.

For example, a JSON service on the target website might look like this:

https://example.com/api/data.json?id=1234

This service sends data to clients in JSON format using the "id=1234" parameter. To target this service, attackers can send a request like:

https://example.com/api/data.json?id=1234&callback=myfunction

This request is used to call back a JavaScript function named "myfunction". The target website sends a JSON response to the client like this:

myfunction({"data": "1234"});

An attacker can insert malicious JavaScript codes into the "data" field in this JSON response:

myfunction({"data": "<script>alert('XSS')</script>"});

This JSON response will bypass the browser's firewall, causing malicious JavaScript codes to run in the target user's browser.

How to protect from XSS

Since there are thousands of code examples that can be produced for these, I will list the items that need attention instead of giving code examples here:

Input validation and data validation: All input fields and data points need to be validated. This verifies that all data sent to the server is valid and in expected formats.

Output encoding and filtering: All user input must be properly filtered or encoded before being processed. This ensures safe handling of special characters in data from users.

Secure HTTP headers: HTTP headers can be used to protect against XSS attacks. For example, the "X-XSS-Protection" header can enable XSS protection in browsers.

Security of cookies: Cookies are a common target for XSS attacks. Therefore, the "HttpOnly" and "Secure" features should be used for the security of cookies.

Secure coding practices: Secure coding practices are among the most important preventers of XSS attacks. Regular code reviews should be done to ensure coding is secure, data validation is done correctly, and to eliminate unsafe code.

Safe browser settings: Browsers' secure settings can be used to protect users from XSS attacks. These settings can prevent the use of JavaScript, ActiveX, and other potentially dangerous features.

When you implement them correctly, you will be protected by 90 percent of XSS vulnerabilities. Remember, there is no such thing as 100 percent security. Happy Hacking

How to Get Started with Bug Bounty?

Muhammed Batuhan Aydın — Tue, 04 Apr 2023 22:58:19 +0000

I would like to thank Stable Diffusion for producing the cover image.

Hello everyone, I'm Muhammed Batuhan Aydın. Today, I'll be talking about the bug bounty field, which is something that everyone has in mind but wonders how to start for some, and that some people engage in as a professional.

What is Bug Bounty?

Bug bounty is an open call from an organization to an external person or group to find security vulnerabilities or flaws in their digital assets such as web sites, mobile applications, software or systems, in order to increase their security. This call includes paying a monetary reward to the individuals who find security vulnerabilities or flaws in these assets during a specified period. These individuals are usually referred to as "hunters" or "researchers."

Bug bounty programs are used as a powerful tool to quickly and effectively identify security vulnerabilities and flaws in an organization. These programs not only help to detect errors but also help organizations protect their reputations and avoid legal issues.

Bug bounty programs are used by many different organizations, ranging from open-source software projects to government agencies and large corporations. These programs typically offer a variety of rewards, such as money, vacations, equipment or other rewards determined by the organization, to researchers who identify bugs.

Bug bounty programs are a great way to detect and prevent security vulnerabilities that hackers and malicious users can use to harm organizations. Therefore, many organizations make efforts to increase the security of their digital assets and protect themselves against malicious attacks by using these programs.

Change Your Mindset

This is probably the part that most people struggle with and skip. Unfortunately, most new generation security professionals who enter this career field are more concerned with how much money they can make than with enjoying their education and work. The approach of "a self-xss is worth 200 dollars bro" from an outsider's perspective prevents taking the job seriously and also prevents enjoying the activity.

Start by educating your mindset first. You should not forget that the first vulnerabilities you find may be rejected, classified as information or may result in finding no flaws at all. According to my mindset, this is an unlimited source of entertainment that helps me to constantly improve myself and follow the technologies that many companies follow in their work. When you choose bug bounty as a hobby, which is much more accessible and logical in terms of your mindset and motivation, it becomes an activity that you can both enjoy and earn money from.

Beginner Level Books

After setting your thoughts and motivation, there are many articles and resources available on the internet and dev.to that you can use to educate yourself. However, books can be really effective. If you are new to bug bounty, beginner level books can provide you with basic knowledge. These books cover topics such as web application security, network security, programming, and security testing techniques. Useful books in this regard could be "Web Application Hacker's Handbook" and "The Basics of Hacking and Penetration Testing."

Web Application Hacker's Handbook : https://www.amazon.com/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470

The Basics of Hacking and Penetration Testing:

https://www.amazon.com/Basics-Hacking-Penetration-Testing-Ethical/dp/0124116442

Online Courses

I am torn about writing this section, as some people believe that bug bounty cannot be learned through courses. However, while I have never been someone who learned through courses, I have met hundreds of people who have learned something through them. Online education platforms such as Udemy, Coursera, and edX offer a wide range of courses and programs in various security-related topics. My personal favorite has always been Coursera. If you cannot afford to pay hundreds of dollars for a course, you can explain your situation to Coursera and they can offer you the course for free.

Practice

It is important to note that any website you find on the internet is not your sandbox for practice. Do not attack any organization's website or apply security tests without permission, even if you know very well what you are doing. You do not want to deal with legal processes, which can be very painful and sad in many countries around the world.

However, security professionals who ask themselves how they can practice have come up with many solutions. Online platforms like HackTheBox, TryHackMe, and PortSwigger Web Security Academy offer virtual labs with different security scenarios. These labs mimic real-world scenarios and allow you to improve your ability to detect and solve security vulnerabilities.

Open Source Projects

If you've been in this profession for a long time like me, you know that open source developers who write code are superheroes and everyone loves them. You can skip this part because I'm going to praise open source.

The world is grateful to the people who write Open Source code. These individuals are improving the software world with the philosophy of free software. Open Source developers, who develop software for the benefit of society beyond their own interests, play a significant role in today's technology world. Open Source developers spend their time and effort to make their code open source, making it easier for developers to review, enhance, and modify it. This results in better software products. The contribution of Open Source developers to the software world is not limited to better software products. They also provide educational materials and help resources for people with different skill levels. This way, anyone who wants to participate in the software development process can improve themselves by using the resources provided by Open Source developers. Open Source developers also highlight the advantages of open source software. They believe that open source software enables more people to participate and contribute, resulting in better software products and a wider distribution of benefits to society.

In conclusion, people who write Open Source code make significant contributions to the development of the software world. By investing their time and effort, they make the software world more open, transparent, and free. These people play an important role not only for the software world but also for society. It is our duty to appreciate, support, and encourage them.

As someone who develops Open Source software, I would like to extend my appreciation and respect. Contributing to Open Source projects and software can help you better understand real-world scenarios. These projects may have various errors in application security, network security, and other security issues. By contributing to these projects, you can improve your skills in detecting and reporting security vulnerabilities.

Join Communities

Unfortunately, Hollywood has created a weird stereotype of a Cyber Security expert or "Hacker" in people's minds in the last century. This effect has created a stereotype of "acne-prone, hoodie-wearing, socially awkward, friendless, sociopathic, excessively thin, and asocial" for anyone who is new to the Cyber Security field. In reality, Cyber Security communities are made up of people who love to help each other and these people do this work without expecting anything in return. The same goes for me, if you have any questions, you can write them in any way you want via my social media accounts. These communities are areas mostly found on the internet where researchers from different countries, languages, and different sectors come together to exchange ideas, ask questions, and share what they have discovered. These communities can be accessed through platforms such as HackerOne, Bugcrowd, and Reddit's bug bounty channels.

How Long Will it Take?

I think this is one of the most frequently asked questions to me. People start asking this question a few days or weeks after they start. Unfortunately, I cannot give you a clear date, as I cannot give to anyone. However, the advice I will give you here is to never lose your self-discipline. Reading a few articles, practicing, or learning a new technology when you come home from work in the evening, or after school, or when you wake up in the morning will help you develop yourself in this field even if you don't make a career out of it.

I look forward to writing my content called "A day of a hacker next week". Don't forget to follow me for my future posts.

For your questions to me: You can message me on LinkedIn or write a comment under the post. Happy Hacking