What is cross site scripting?

by

With cross-site scripting, it’s possible to infect the HTML document produced without causing the web server itself to be infected. An XSS attack uses the server as a vector to present malicious content back to a client, either instantly from the request (a reflected attack), or delayed though storage and retrieval (a stored attack).

An XSS attack exploits a weakness in the server’s production of a page that allows request data to show up in raw form in the response. The page is only reflecting back what was submitted in a request… but the content of that request might hold characters that break out of ordinary text content and introduce HTML or JavaScript content that the developer did not intend.

Here’s a quick example. Let’s say you have some sort of templating language made to produce an HTML page (like PHP, ASP, CGI, or a Velocity or Freemarker script). It takes the following page and substitutes “<?=$name?>” with the unescaped value of the “name” query parameter.

<html>
<head><title>Example</title></head>
<body>Hi, <?=$name?></body>
</html>

Someone calling that page with the following URL:

http://example.com/unsafepage?name=Rumplestiltskin

Should expect to see this message:

Hi, Rumplestiltskin

Calling the same page with something more malicious can be used to alter the page or user experience substantially.

http://example.com/unsafepage?name=Rumplestiltskin<script>alert('Boo!')</script>

Instead of just saying, “Hi, Rumplestiltskin”, this URL would also cause the page to pop up an alert message that says, “Boo!”. That is, of course, a simplistic example. One could provide a sophisticated script that captures keystrokes or asks for a name and password to be verified, or clears the screen and entirely rewrites the page with shock content. It would still look like it came from example.com, because the page itself did, but the content is being provided somewhere in the request and just reflected back as part of the page.

So, if the page is just spitting back content provided by the person requesting it, and you’re requesting that page, then how does a hacker infect your request? Usually, this is accomplished by providing a link, either on a web page or sent to you by e-mail, or in a URL-shortened request, so it’s difficult to see the mess in the URL.

<a href="http://example.com?name=<script>alert('Malicious content')</script>">
Click Me!
</a>

A server with an exploitable XSS vulnerability does not run any malicious code itself– its programming remains unaltered– but it can be made to serve malicious content to clients.

More Related Contents:

  1. Best way to handle security and avoid XSS with user entered URLs
  2. Will HTML Encoding prevent all kinds of XSS attacks?
  3. PHP Session Security
  4. The ultimate clean/secure function
  5. How do I create a self-signed certificate for code signing on Windows?
  6. What is token-based authentication?
  7. Are HTTPS headers encrypted?
  8. How can I throttle user login attempts in PHP
  9. Why is using a Non-Random IV with CBC Mode a vulnerability?
  10. Best Practices: Salting & peppering passwords?
  11. Is it safe to put a jwt into the url as a query parameter of a GET request?
  12. What’s the right OAuth 2.0 flow for a mobile app
  13. How do I store and retrieve credentials from the Windows Vault credential manager?
  14. MVC 6 Bind Attribute disappears?
  15. What is the most secure seed for random number generation?
  16. Moving old passwords to new hashing algorithm?
  17. Best way for a ‘forgot password’ implementation? [closed]
  18. What does it mean when they say React is XSS protected?
  19. Should JWT be stored in localStorage or cookie? [duplicate]
  20. Is it worth encrypting email addresses in the database?
  21. How do you set up use HttpOnly cookies in PHP
  22. Is it possible to reverse a SHA-1 hash?
  23. Secure Google Cloud Functions http trigger with auth
  24. RSA signature size?
  25. What is the appropriate way to manage API secrets within a Google Apps script?
  26. Securing an API: SSL & HTTP Basic Authentication vs Signature
  27. What’s wrong with XOR encryption?
  28. What is the clash rate for md5? [closed]
  29. How to protect against direct access to images? [closed]
  30. is it bad to pass jwt token as part of url?

Leave a Comment