Reputation: 103
Can XSS be executed on server?
Hi an XSS attack is treated as an attack from the client's machine. But is there any way to make an XSS attack over the server ?
I want to know is there any way to execute a code on the server using the client side interface like in the case of SQL Injection, but here it is not the Database Server but a Simple Web Server or an Application Server.
Upvotes: 1
Views: 887
Answers (3)
Reputation: 11953
The answer to your question is not entirely straightforward.
Specifically, no you cannot attack a server using XSS by by injecting code through its interface.
However, there are ways to "inject" code into the server through its interface and have the server run it. The techniques vary widely and substantially, and are highly implementation dependent.
For example, there was a web application that allowed users to upload image files for display. The web application had code that "touched up" the image. There was a vulnerability in the touch up code. A malicious user uploaded a carefully prepared, malicious .jpg file that overflowed a buffer in the code and shoveled off a shell to the attacker's machine. In a case like this, the attack was conducted by "injecting" code into the web app through its interface.
As long as you never process user input (other than storing it in the DB and returning it to other users), then you should be pretty safe from this type of attack. Probably 99% of web apps need to be much more worried about XSS attacks from users to other users than from code injection attacks against themselves.
Upvotes: 0
Reputation: 21
Sometimes, it's also possible to use XSS as a vector to trigger and leverage Cross-Site Request Forgery (CSRF) attacks.
Having an XSS on a website is like having control on the javascript a user will execute when visiting it. If an administrator stumbles upon your XSS code (either by sending a malicious link or by means of a stored XSS), then you might get him or her to execute requests or actions on the webserver that a normal user usually wouldn't have access to. If you know the webpage layout well enough, you can request webpages on the visitor's behalf (backends, user lists, etc.), and have the results sent (exfiltrated) anywhere on the Internet.
You can also use more advanced attack frameworks such as BeEF to attempt to exploit vulnerabilities in your visitor's browser. If the visitor in question is a website administrator, this might yield interesting information to further attack the webserver.
XSS per se won't allow you to execute code on the server, but it's a great vector to leverage other vulnerabilities present on the web application.
Upvotes: 2
Reputation: 887807
Vulnerabilities like XSS or SQL injection are specific instances of a more general problem: Improperly concatenating attacker-controllable text into some other format (eg, SQL, HTML, or Javascript)
If your server runs any such format (eg, eval()), it can have similar vulnerabilities.
Upvotes: 0
Related Questions
- Execute JavaScript for XSS without script tags
- Is it possible to have XSS vulnerability in a client side web application?
- Using XSS to execute PHP Code
- Cross site scripting (XSS) possible?
- XSS without a server being involved - is this dangerous?
- XSS - is it only possible by using JavaScript?
- ajax call vulnerable to xss attack
- Allowing XSS on IIS 7
- Is it possible to be attacked with XSS on a static page (i.e. without PHP)?
- XSS as attack vector even if XSS data not stored?