Cross-Site Scripting (XSS)
1 Global Definition
Cross-Site Scripting (XSS) is a vulnerability in web applications that allows attackers to inject malicious scripts into web pages viewed by other users. This can result in session hijacking, phishing, and theft of sensitive data like cookies.
1.1 Types of XSS
Stored XSS
Malicious scripts are permanently stored in a database, comment field, or forum post. Every visitor who loads that page executes the script.
Reflected XSS
The malicious payload is part of the HTTP request, and reflected immediately back in the response. Often seen in URL parameters.
DOM-based XSS
The attack occurs in the Document Object Model (DOM) without involving the server. Vulnerable JavaScript code directly processes attacker-controlled input.
1.2 How XSS Works
The attacker injects a malicious payload into an input field or URL. When the server or client-side code fails to validate or sanitize this input, the script executes in the victimβs browser.
Example Payload:
<script>alert('Hacked!')</script>
1.3 Real-World Impact
- Theft of authentication tokens and impersonation of accounts.
- Defacement of websites via injected HTML or CSS.
- Execution of complex exploits like keylogging.
- Used in large breaches (e.g., the MySpace Samy Worm).
1.4 Defense Strategies
- Input Validation and output encoding.
- Use Content Security Policy (CSP) headers.
- Employ security libraries like OWASP ESAPI.
- Regular code audits and penetration testing.
1.5 Why It Matters
XSS is consistently listed in the OWASP Top 10. It affects millions of users worldwide, enabling attackers to steal data, spread worms, and damage trust. Preventing XSS is essential for maintaining security, user confidence, and compliance with GDPR and other data protection regulations.