Cross Site Scripting attack review

Explain the full XSS attack chain (attacker —> website —> victim). Include why the browser trusts the malicious code.

The attackers injects malicious JavaScript into a vulnerable website. The website stores or reflects that code and sends it to the victim’s browser. Since the code comes from a trusted website, the browser executes it with full privileges (cookies, DOM, session).

Why can injected JavaScript access cookies and session data?

Because the browser the same-origin policy, and the malicious scripts appears to come from the legitimate websites, so it inherits that site’s permissions.

What is the root cause of XSS?
A. Weak authentication
B. Unsanitized user input
C. Open ports
D. Poor encryption

B

List 2 types of damage XSS can cause

Steal cookies/session data
Modifying webpage content (defacing)
Sending requests as the user

Difference between reflected and stored XSS

Reflected: input is immediately returned in response (not stored)
Stored: input is saved and later served to victims

Which type is used in Porject 4? Reflected or Stored?

Stored XSS

Why is stored Xss more dangerous?

it persists on the server and affects every user who visits the page, making it scalable and harder to detect.

What is an attack surface?

any input field or location where user data is accepted and rendered without proper sanitization

Name 3 attack surfaces where XSS payloads can be injected

profile description fields, search bars, comment sections

why might your script appear as text instead of executing?

Because the application encoded or sanitized the input, preventing execution.

Why do we capture HTTP requests?

To understand how the website performs actions so we can replicate them programmatically using JavaScript

What are _elgg_token and _elgg_ts?

Security tokens used to prevent CSRF attacks; they must be included in valid requests.

Why can injected JavaScript access these tokens (referring to _elgg_token and _elgg_ts)?

Because the script runs in the same context as the webpage and can access its JavaScript

Why is dynamic token extraction required?

tokens change per session/request, so hardcoding them would fail.

Why does the server accept the malicious request?

Because it includes valid tokens and cookies, making it appear legitmate.

what actually performs the attack?
A. HTML
B. AJAX request
C. URL alone
D. cookie

B

Why avoid modifying attacker’s own profile?

it would overwrite the malicious script, stopping propagation

how does the attack affect multiple users?

Each visitor triggers the script, executing actions on their own account.

what makes an XSS worm?

it replicates itself by injecting its code into other users’ profiles.

why use encodeURIComponent()?

To safely include JavaScript in HTTP requests without breaking formatting

List 3 debugging steps if your attack fails.

check browser console for errors
Check network tab for request
verify tokens and payload execution

Why do you check if your request was sent?

Browser DexTools > Network tab

Explain the full attack chain of XSS in your own words:
Who are the 3 parties involved?
Why trusts whom incorrectly?

3 parties:
Attack (injects malicious code)
Target Website (stores/ reflect the code)
Victim (loads the page)
The victim’s browser trusts the website, so it also trusts the malicious code coming from that website. The browser cannot distinguish attacker code from legitimate code.

Why does malicious JavaScript gain access to: cookies, DOM, Session data?

Cookies: Same-origin policy allows scripts from the site to access cookies
DOM: Scripts can fully manipulate page structure
Session data: Stored in JavaScript variables accessible in the page

Because the script runs as if it belongs to the website

Given this URL: example.com/search?q=<script>alert(1)</script>
What type of XSS is this?

Reflected XSS because input is in URL and reflected immediately

Why is the “About Me” / Description field ideal for stored XSS?

Stored in database

Displayed to other users

Automatically executed when viewed

perfect for persistent attacks

Why does the attacker need to capture a request using tools like LineHTTPHeader / DevTools?

Understand request structure

Extract parameters

Replay the request programmatically

You are reverse-engineering the website

What would happen if you hardcoded tokens instead of dynamically retrieving them?

Attack will fail

Tokens expire or change per session

Why do we use elgg.security.token._elgg_token instead of manually typing the token?

• Tokens are dynamic

• Must match the current user/session

Explain what this line does: Ajax.open(“GET”, sendurl, true);

Opens a request

GET method

Asynchronous true

What is the purpose of: window.onload = function() {…}

Ensures: Script runs after page loads

All variables are available

what happens if your script runs before the page loads?

Variables may be undefined

Script may fail or do nothing

What is the goal of the add-friend attack?

Add attacker as a friend without consent

What makes the request valid from the server’s perspective?

Valid token

Valid session cookie

Correct request format

What part of the attack is actually doing the damage?
A. HTML
B. JavaScript AJAX request
C. URL
D. Cookie alone

B

Why do we include: if (elgg.session.user.guid ≠ 47)

To avoid:

• Overwriting attacker’s own profile

• Breaking the attack

What would happen if we didn’t include that condition, context:
if (elgg.session.user.guid ≠ 47)

• Infinite overwrite

• Malicious code removed

How does the attack scale to multiple victims?

Each visitor: executes script, modifies their own profile

Attack spreads naturally

What would happen if we didn’t encode the payload?

request breaks
script malformed
attack fails

Explain the DOM approach for copying code.

Access script via DOM

Extract its own code

Reinsert into another profile

Why do we use:
document.getElementById(“worm”).innerHTML;

gets the script’s content from the page

What problem does this ( document.getElementById("worm").innerHTML; ) solve in the attack?

allows self-copying for automatic propagation

Difference between DOM and Link(src) approach?

DOM approach copies code from page while the link approach loads code from external file.

link = cleaner, shorter payload

Your script isn’t running. List 3 things you would check

Console errors
Network requests
Token correctness

Where in browser DevTools would you look to: See if your request was sent?

Network tab

Where would you check JavaScript errors?

Console tab

If your payload executes but doesn’t modify anything, what might be wrong?

Wrong parameters, Missing tokens, incorrect request method (get vs post), permissions/access level is wrong

Why is filtering input hard?

Many ways to inject JS, not just script tags

What does encoding do differently from filtering?

Filtering removes code while encoding makes code harmless (displayed, not executed)

What is the purpose of Content Security Policy (CSP)?

restricts where scripts can come from

Why does CSP block inline scripts?

inline scripts mix code and data and can be vulnerable

What is a nonce in CSP?

Nonce is a unique token that allows only approved inline scripts

Can you describe how to: Inject code, Capture request, Recreate request in JavaScript, Execute automatically?

Inject script into input field

Capture valid request

Extract parameters (tokens, cookies)

Recreate request using AJAX

Execute automatically via XSS

if given a new website (not Elgg), could you: Find attack surfaces? Identify tokens? Replicate a request?

Yes, if you can:

identify inputs

Inspect requests

Extract tokens

Rebuild requests

Explain the full attack in plain English like you’re teaching someone else.

An attacker puts malicious JavaScript into a website field.
When another user visits that page, their browser runs the script because it trusts the site.
The script secretly sends requests (like adding friends or editing profiles) using the victim’s account, without them knowing.