Cross-site scripting
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.
Cross-site scripting (XSS) allows attackers to inject malicious scripts into a webpage, targeting users who load that page. It's usually caused by insufficient input validation and improper encoding of user input that is displayed on web pages. Using XSS, attackers can achieve the following:
Hijack accounts and sessions
Steal sensitive information
Modify page content and deface websites
Redirect users to another webpage
Record keystrokes
Redirect to websites that exploit browser vulnerabilities
Trick users into downloading files or entering information (e.g. via phishing)
Types of XSS
Persistent or stored
The malicious script is stored in the database and displayed to any users who load a page containing the script. An example of this is an attacker exploiting vulnerable blog commenting to post a malicious script as a comment which is then displayed to any other user who loads the page.
Reflected
The malicious script is part of the user's request to the website and is reflected back at them as part of the response. An example would be a user clicking an email link with a malicious script in one of the parameters. The script is run against the same user when the page loads and sends their session data to the attacker's server.
DOM-based
Basic technique
The basic technique is to put a test script in any form input field and see if it pops an alert box. You may want to try a few variations to test for badly-implemented input sanitization:
JavaScript can also be injected through a URL, which an unsuspecting person might click in an email:
You can find all kinds of XSS vulnerabilities, including DOM-based, by manually walking through the application with your browser and modifying each URL parameter to contain a standard test string.
Further reading
Last updated