Python Penetration Testing - XSS Web Attack


Advertisements

Cross-site scripting attacks are a type of injection that also refer to client-side code injection attack. Here, malicious codes are injected into a legitimate website. The concept of Same Origin Policy (SOP) is very useful in understanding the concept of Cross-site scripting. SOP is the most important security principal in every web browser. It forbids websites from retrieving content from pages with another origin. For example, the web page www.tutorialspoint.com/index.html can access the contents from www.tutorialspoint.com/contact.html but www.virus.com/index.html cannot access content from www.tutorialspoint.com/contact.html. In this way, we can say that cross-site scripting is a way of bypassing SOP security policy.

Types of XSS Attack

In this section, let us learn about the different types of XSS attack. The attack can be classified into the following major categories −

  • Persistent or stored XSS
  • Non-persistent or reflected XSS

Persistent or stored XSS

In this kind of XSS attack, an attacker injects a script, referred to as the payload, that is permanently stored on the target web application, for example within a database. This is the reason, it is called persistent XSS attack. It is actually the most damaging type of XSS attack. For example, a malicious code is inserted by an attacker in the comment field on a blog or in the forum post.

Non-persistent or reflected XSS

It is the most common type of XSS attack in which the attacker’s payload has to be the part of the request, which is sent to the web server and reflected, back in such a way that the HTTP response includes the payload from the HTTP request. It is a non-persistent attack because the attacker needs to deliver the payload to each victim. The most common example of such kinds of XSS attacks are the phishing emails with the help of which attacker attracts the victim to make a request to the server which contains the XSS payloads and ends-up executing the script that gets reflected and executed inside the browser.

Example

Same as SQLi, XSS web attacks can be implemented by manipulating input data to the application. In the following examples, we are modifying the SQLi attack vectors, done in previous section, to test XSS web attack. The Python script given below helps analyze XSS attack using mechanize

To begin with, let us import the mechanize module.

import mechanize

Now, provide the name of the URL for obtaining the response after submitting the form.

url = input("Enter the full url")
   attack_no = 1

We need to read the attack vectors from the file.

With open (‘vectors_XSS.txt’) as x:

Now we will send request with each arrack vector −

For line in x:
   browser.open(url)
browser.select_form(nr = 0)
   browser[“id”] = line
   res = browser.submit()
content = res.read()

The following line of code will check the printed attack vector.

if content.find(line) > 0:
print(“Possible XSS”)

The following line of code will write the response to output file.

output = open(‘response/’ + str(attack_no) + ’.txt’, ’w’)
output.write(content)
output.close()
print attack_no
attack_no += 1

XSS occurs when a user input prints to the response without any validation. Therefore, to check the possibility of an XSS attack, we can check the response text for the attack vector we provided. If the attack vector is present in the response without any escape or validation, there is a high possibility of XSS attack.

Advertisements