What Is A “Blind” XSS

The Blind XSS (BXSS) is a type of Persistent XSS attack where the hacker ‘blindly’ targets webpages that store user input in a database (like blogs, forums, contact forums, login pages etc etc) the BXSS and the Persistent XSS attacks are pretty identical in terms of target goal and the payload stored, the difference is in the execution of the attack.

In BXSS, the hacker fires off payloads into the vulnerable sties but doing it manually is cumbersome. The process can be automated using XSS security tools such as XSS Hunter, which finds XSS vulnerabilities on web pages, automatically creates payloads for those vulnerabilities and even correlates injection attempts. The hacker isn’t expecting to see any immediate response or sign that the attack worked, they aren’t even aware if the payload was stored in the same web application or even stored in the first place….hence the “Blind” in Blind XSS.

The BXSS sometimes targets sites administrators because of the malicious script is commonly either sanitized before being served to everyday site visitors or served b ya different web application. Site admins/mods who use management web sessions to load content for administrative tasks might find themselves executing the malicious code in the admin interface.

For example, lets say the hacker injects malicious code in a contact forum and submits it to the server. The code will be stored in the database but not likely in the same application. Thus, there is no immediate response, such as the typical JavaScript Alert() box. The browser of a victim who visits the same contact page isn’t’ authorized to make a GET request for the hackers payload stored in the database; however, a site admin who is reviewing the everyday contact submission from site visitors may inadvertently execute the malicious script stored inside the hackers contact submission.

 

Credit : thecybersecurityman

 

Cheers,
Areeb

Areeb Soo Yasir

Business and technology have always gone hand in hand for me, and now I've built nearly 20 years of expertise. A few notable achievements: -> Tier III-Designed & deployed multiple mission critical datacenter environments in Canada, US, Hong Kong, Singapore & China. -> Software Engineering: Created a Linux OS from scratch, including a custom kernel to maintain millions of dollars in client infrastructure, deploy and report as needed. Created the “Windows Geeks” and “Password Pros” Windows Password Reset software recommended by Microsoft. -> Business Negotiations: Conducted intensive negotiations with branches of the Peoples Republic of China and the various state-run Telecom operations including China Telecom and China Unicom for access to their trillion dollar backbone infrastructure. We were the first western company to have such network access where other IT companies such as Vodafone and Google failed. -> Cloud Infrastructure Creation: Created the first proprietary “Clustered Cloud Architecture” that rivals competing Google, IBM, Microsoft & Alibaba alternatives. I'd love to chat #IT or #Linux or even #Business, so don't hesitate to connect. Cheers!

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *