What is Cross-Site Scripting (XSS) ?

What Is Cross Site Scripting (XSS)

Cross-site Scripting is a common web-application vulnerability that results from untrusted-input being returned to a Web Browser without validation and/or proper modification.  The failure of a web-application to validate input data and/or to neutralize certain characters allows inputs to be maliciously crafted that enable arbitrary JavaScript code to be executed by the receiving Web Browser.

A web-application that accepts such malicious input and returns it in a subsequent response to the originating Browser is said to exhibit “Reflected XSS”, whereas an application that stores the malicious input and includes it in responses to other users is termed “Persistent XSS”.

Why Is Cross-Site Scripting So Common ?

What makes Cross-site Scripting (XSS) so insidious is that there are so many ways to ‘break” the data/code barrier in Hypertext Markup Language (HTML).  HTML supports intermixed sections of content, markup, and executable code in the same space, and input intended to be rendered content can be contorted into executable code by attackers.  An example will help to clarify this:

Cross-site Scripting (XSS) Example

As a simple example, assume that we prompt the user for their name and subsequently re-display it and ask them to confirm it.  The page might contain:

Name: John Smith

which might be rendered from the following HTML fragment:

<strong>Name: </strong> John Smith

An attacker might provide the following malicious input as the “Name” when prompted: John Smith <script>alert(‘xss’);</script>

which would result in the following HTML fragment:

<strong>Name: </strong> John Smith <script>alert(‘xss’);</script>

When rendered, this causes the Browser to execute the provided JavaScript statements (which in our example triggers an innocuous pop-up) and clearly violates the designer’s intentions.  Of course, this is a simple example because the user-input is injected directly into HTML content, there are several other contexts that can be exploited that are not as straightforward.

In summary, Cross-site Scripting (XSS) is possible whenever untrusted input is injected into an HTML response without the proper validation and/or the neutralization necessary to prevent a breaking of the content/code barrier.

For tips and tricks regarding how to detect Cross-Site Scripting (XSS) vulnerabilities in web-applications. see the article entitled: “How To Test for Cross-Site Scripting (XSS)“.

To understand how to prevent Cross-Site Scripting (XSS), see the article entitled: “How To Prevent Cross-Site Scripting (XSS)“.

About Affinity IT Security

We hope you found this article to be useful. Affinity IT Security is available to help you with your security testing and  train your developers and testers.  In fact, we train developers and IT staff how to hack applications and networks.

Perhaps it was a network scan or website vulnerability test that brought you here.  If so, you are likely researching how to find, fix, or avoid a particular vulnerability.  We urge you to be proactive and ensure that key individuals in your organization understand not only this issue, but also are more broadly aware of application security.

Contact us to learn how to better protect your enterprise.

Although every effort has been made to provide the most useful and highest quality information, it is unfortunate but inevitable that some errors, omissions, and typographical mistakes will appear in these articles. Consequently, Affinity IT Security will not be responsible for any loss or damages resulting directly or indirectly from any error, misunderstanding, software defect, example, or misuse of any content herein.