Ready to Start Your Career?

The Basics of Cross-Site Scripting (XSS)

Izet007 's profile image

By: Izet007

February 3, 2018

What is Cross-Site Scripting?

Cross-site scripting (XSS) is a client-side attack where an attacker performs malicious script (JavaScript) injection into a web application and/or web site.  Then the malicious payload is executed in user’s browser that visited a compromised page. Be aware that this malicious script/code appears to be a part of the web page.

Types of XSS

  • Persistent – This type of XSS requires an attacker to locate a vulnerable web application and then inject a malicious code to be stored on the server. The malicious code is not executed immediately.
  • Reflected – This type of XSS occurs when a malicious script is reflected off of a web application and/or site back to the browser of a user that trusted a web site they visited.
  • DOM-Based (Document Object Model)– This type of XSS occurs when malicious code is being able to manipulate the page’s DOM. This attack is executed on the client side. This type of XSS is least common. Be aware that both persistent and reflected XSS types are executed on the server side.

Popular types of attacks with XSS

  • Cookie/session theft
    • To steal your current session and do things on your behalf.
  • Redirection to a phishing web site
    • To steal your credentials
  • Execution of exploits discovered in a web browser
    • Install malware on the PC

The simple test to check for reflected XSS

  1. Locate input fields
    1. Ex. A web form (First name, last name, etc)
  2. Create input data
    1. <script>alert(Vulnerable to XSS)</script>
  3. “Vulnerable to XSS” box reflected on the web page – if the page is vulnerable.
  4. This is just an alert box demonstrating that the application is vulnerable to XSS. This itself does not present any threat. However, think about what an attacker could do after discovering that particular web application/site is vulnerable to XSS. The limit is their creativity.

How to prevent XSS

Input validation – Validate user input using a blacklist or a whitelist on the server side.  Client-side validation cannot be trusted as it can be easily bypassed.

Escaping – Conversion of characters to its escape sequence. For example, a “<” to be converted to “&lt;”.

To conclude, I want to drive one very important point home – ALL data that is received by your application must be treated as it was coming from an untrusted source.

Schedule Demo