The Basics of Cross-Site Scripting (XSS)

February 3, 2018 | Views: 3410

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

What is Cross-Site Scripting?

Cross-site scripting (XSS) is a client-side attack where an attacker performs malicious script (JavaScript) injection into a web application and/or web site.  Then the malicious payload is executed in user’s browser that visited a compromised page. Be aware that this malicious script/code appears to be a part of the web page.

Types of XSS

  • Persistent – This type of XSS requires an attacker to locate a vulnerable web application and then inject a malicious code to be stored on the server. The malicious code is not executed immediately.
  • Reflected – This type of XSS occurs when a malicious script is reflected off of a web application and/or site back to the browser of a user that trusted a web site they visited.
  • DOM-Based (Document Object Model)– This type of XSS occurs when malicious code is being able to manipulate the page’s DOM. This attack is executed on the client side. This type of XSS is least common. Be aware that both persistent and reflected XSS types are executed on the server side.

Popular types of attacks with XSS

  • Cookie/session theft
    • To steal your current session and do things on your behalf.
  • Redirection to a phishing web site
    • To steal your credentials
  • Execution of exploits discovered in a web browser
    • Install malware on the PC

The simple test to check for reflected XSS

  1. Locate input fields
    1. Ex. A web form (First name, last name, etc)
  2. Create input data
    1. <script>alert(Vulnerable to XSS)</script>
  3. “Vulnerable to XSS” box reflected on the web page – if the page is vulnerable.
  4. This is just an alert box demonstrating that the application is vulnerable to XSS. This itself does not present any threat. However, think about what an attacker could do after discovering that particular web application/site is vulnerable to XSS. The limit is their creativity.

How to prevent XSS

Input validation – Validate user input using a blacklist or a whitelist on the server side.  Client-side validation cannot be trusted as it can be easily bypassed.

Escaping – Conversion of characters to its escape sequence. For example, a “<” to be converted to “&lt;”.

To conclude, I want to drive one very important point home – ALL data that is received by your application must be treated as it was coming from an untrusted source.

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. Thanks for sharing the document

  2. Precise and nice.

  3. Crystal clear. Thanks!

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?