Cross Site Scripting (XSS)

# Cross Site Scripting (XSS) This is an attack, where the attacker uses a vulnerability to trick the webserver to include code into the html page. This can happen, when a website accepts user input and then displays said input, without validating and sanitizing it. Imagine for example a simple input field where you can add your name. You could try and type: ```Melanie<script>alert(1)</script>```. If the website has no security precautions and now takes your input and displays it, the HTML code would look something like this: ``` <p>Hello: Melanie<script>alert(1)</script>!</p> ``` Your browser will not know the difference between the user input and 'real' script code from the website, so it will execute the javascript code. The script code in this example is very simple, but an attacker could also write more elaborate code and inject it into the site. It would be very easy for an attacker to steal a user's cookie and send it to the attacker's server. With this cookie the attacker could log in as the victim user. The attacker could also alter the content of a website. They could for example add fake news to a blog. Also a login form, or a form to add creditcard information could be written in javascript and be injected to the site. An unsuspecting user could fill out the form with their sensitive data, which would then be sent to the attacker. There are three different types of XSS: reflected, stored, and DOM based XSS. ## Reflected XSS Let's think back to our first example: We have a website asking for your name. After sending your name the site will display something like 'Hello Name!'. If an attacker was to insert script code here, the code would not be permanently saved to the site. The name will always be dynamically displayed to whatever a user inserts. If an attacker would want to trick the victim to visit the infected page, the attacker would have to get the victim to click on a prepared link. For example: ```https://testsite.com/?name=evil<script>alert(1)</script>```. This means more work for the attacker, because they would need to find ways to trick other people to click the link. ## Stored XSS Stored XSS works just like reflected xss, only this time the script code will be saved permanently, e.g. to a database. This can happen when guestbooks, comment sections, forum threads or similiar just save user input without validating and sanitizing it. The attacker can now write a comment or forum post and add the script code to his or her comment. The comment will be permanently saved to the database, and everytime a user reads the forum thread with the malicious post the script code will be executed. The victim does not have to click anything for this! This will happen automatically, unless the victim has javascript deactivated in their browser. Our example code ```alert(1)``` is quite harmless, but keep in mind that the attacker can write up *any* javascript code here. ## DOM based XSS DOM based XSS can be stored or reflected, depending on the vulnerability. The Document Object Model (DOM) is a representation of a HTML site in tree structure. ![](https://upload.wikimedia.org/wikipedia/commons/thumb/5/5a/DOM-model.svg/440px-DOM-model.svg.png) > (Source https://en.wikipedia.org/wiki/Document_Object_Model In a DOM based XSS attack, the malicious code is inserted *after* the site's code is built on the serverside. This means the code is inserted by the victims browser itself. You can find an easy to understand explanation here: [https://www.acunetix.com/blog/articles/dom-xss-explained/](https://www.acunetix.com/blog/articles/dom-xss-explained/) ## How to protect agains XSS attacks The only way a user can protect themselves from an XSS attack is by deactivating javascript in the browser. But this is hardly a usefull advice in our modern world. To protect against XSS vulnerabilities is clearly the job of website developers! User input should always be handled very carefully. Never trust a user or input that could be controlled on the client side. The best advice is to read carefully the best practices of the language that you code in. All modern languages nowadays have built in functions to escape and sanitize user input you wish to output on your site.