Jānis Valters
Ethical Penetration tester / DevSecOps / IT Solution Developer / System administrator
Category Archives: Web Security
Dangling markup injection
In this section, we’ll explain dangling markup injection, how a typical exploit works, and how to prevent dangling markup attacks. What is a dangling markup injection? Dangling markup injection is a technique for capturing data cross-domain in situations where a full cross-site scripting attack isn’t possible. Suppose an application embeds attacker-controllable data into its responses…
Content security policy
In this section, we’ll explain what content security policy is, and describe how CSP can be used to mitigate against some common attacks. What is CSP (content security policy)? CSP is a browser security mechanism that aims to mitigate XSS and some other attacks. It works by restricting the resources (such as scripts and images) that a…
DOM-based XSS
In this section, we’ll describe DOM-based cross-site scripting (DOM XSS), explain how to find DOM XSS vulnerabilities, and talk about how to exploit DOM XSS with different sources and sinks. What is DOM-based cross-site scripting? DOM-based XSS vulnerabilities usually arise when JavaScript takes data from an attacker-controllable source, such as the URL, and passes it to a sink…
Cross-site scripting contexts
When testing for reflected and stored XSS, a key task is to identify the XSS context: The location within the response where attacker-controllable data appears. Any input validation or other processing that is being performed on that data by the application. Based on these details, you can then select one or more candidate XSS payloads, and test whether they…
Exploiting cross-site scripting vulnerabilities
The traditional way to prove that you’ve found a cross-site scripting vulnerability is to create a popup using the alert()function. This isn’t because XSS has anything to do with popups; it’s simply a way to prove that you can execute arbitrary JavaScript on a given domain. You might notice some people using alert(document.domain). This is a way of making it explicit…
Reflected XSS
In this section, we’ll explain reflected cross-site scripting, describe the impact of reflected XSS attacks, and spell out how to find reflected XSS vulnerabilities. What is reflected in cross-site scripting? Reflected cross-site scripting (or XSS) arises when an application receives data in an HTTP request and includes that data within the immediate response in an…
Stored XSS
In this section, we’ll explain stored cross-site scripting, describe the impact of stored XSS attacks, and spell out how to find stored XSS vulnerabilities. What is stored cross-site scripting? Stored cross-site scripting (also known as second-order or persistent XSS) arises when an application receives data from an untrusted source and includes that data within its…
XSS vs CSRF
In this section, we’ll explain the differences between XSS and CSRF, and discuss whether CSRF tokens can help to prevent XSS attacks. What is the difference between XSS and CSRF? Cross-site scripting (or XSS) allows an attacker to execute arbitrary JavaScript within the browser of a victim user. Cross-site request forgery (or CSRF) allows an attacker to induce a…
CSRF tokens
In this section, we’ll explain what CSRF tokens are, how they protect against CSRF attacks, and how CSRF tokens should be generated and validated. What are CSRF tokens? A CSRF token is a unique, secret, unpredictable value that is generated by the server-side application and transmitted to the client in such a way that it is…
Defending against CSRF with SameSite cookies
Some websites defend against CSRF attacks using SameSite cookies. The SameSite the attribute can be used to control whether and how cookies are submitted in cross-site requests. By setting the attribute on session cookies, an application can prevent the default browser behavior of automatically adding cookies to requests regardless of where they originate. The SameSite the attribute is added to the Set-Cookie response…