Cross-Site Scripting (XSS)

XSS is one of the most common web app vulnerabilities. XSS vulnerabilities are normally found in:

• Search fields which echo a string back to the user

• HTTP headers

• Input fields which echo user data

• Error messages which return user text

• Hidden fields that include user input data

• Applications (or websites) which display user supplied data

There are three main types:

• Reflected XSS: malicious code or scripts are injected by a vulnerable web app using any method which yields a response as part of valid HTTP request. An example of reflected XSS is a user being persuaded to follow a malicious link to a vulnerable server which reflects code back to the user's browser, causing it to execute the code or script. The steps in this are typically:

  1. Attacker finds vulnerability in web server.

  2. Attacker sends a malicious link to victim.

  3. Victim clicks malicious link, and attack is sent to vulnerable server.

  4. Attack is reflected to victim and executed.

  5. Victim sends information (depending on attack) to attacker.

• Stored XSS: malicious code or scripts are permanently stored on a vulnerable server using a database. These attacks typically occur on websites hosting blogs or web forums. The DOM (Document Object Model) is a programming interface that treats HTML, XHTML or XML documents as a tree.

• DOM-Based XSS: DOM-based attacks are typically reflected XSS which is triggered by sending a link with inputs that are reflected to the web browser. In a DOM-based attack, the payload is never sent to the server itself, the payload is processed entirely in-browser.