Cross-site scripting

Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. During the second half of 2007, XSSed documented 11,253 site-specific cross-site vulnerabilities, compared to 2,134 "traditional" vulnerabilities documented by Symantec.^[1] XSS effects vary in range from petty nuisance to significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner network.

"XSS" redirects here. For other uses, see XSS (disambiguation).

OWASP considers the term cross-site scripting to be a misnomer. It initially was an attack that was used for breaching data across sites, but gradually started to include other forms of data injection attacks.^[2]

Preventive measures[edit]

Contextual output encoding/escaping of string input[edit]

There are several escaping schemes that can be used depending on where the untrusted string needs to be placed within an HTML document including HTML entity encoding, JavaScript escaping, CSS escaping, and URL (or percent) encoding.^[20] Most web applications that do not need to accept rich data can use escaping to largely eliminate the risk of XSS attacks in a fairly straightforward manner.

Performing HTML entity encoding only on the five XML significant characters is not always sufficient to prevent many forms of XSS attacks, security encoding libraries are usually easier to use.^[20]

Some web template systems understand the structure of the HTML they produce and automatically pick an appropriate encoder.^[21]^[22]^[23]

Safely validating untrusted HTML input[edit]

Many operators of particular web applications (e.g. forums and webmail) allow users to utilize a limited subset of HTML markup. When accepting HTML input from users (say, very large), output encoding (such as very large) will not suffice since the user input needs to be rendered as HTML by the browser (so it shows as "very large", instead of "very large"). Stopping an XSS attack when accepting HTML input from users is much more complex in this situation. Untrusted HTML input must be run through an HTML sanitization engine to ensure that it does not contain XSS code.

Many validations rely on parsing out (blacklisting) specific "at risk" HTML tags such as the iframe tag, link and the script tag.

There are several issues with this approach, for example sometimes seemingly harmless tags can be left out which when utilized correctly can still result in an XSS

Another popular method is to strip user input of " and ' however this can also be bypassed as the payload can be concealed with obfuscation.

$_$_$DEEZ_NUTS#0__titleDEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#0__subtitleDEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#0__call_to_action.textDEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#3__descriptionDEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#1__titleDEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#1__descriptionDEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#3__titleDEEZ_NUTS$_$_$

Web application security

Internet security

XML external entity

Browser security

an open-source penetration testing tool that includes tests for XSS

Metasploit Project

an open-source web application security scanner

w3af

DOMPurify, a code library by Cure53 to reduce susceptibility to XSS vulnerabilities in websites.

free and open source

Cross-document messaging

Samy (computer worm)

Parameter validation

MacKenzie, Thomas. . Retrieved October 24, 2015.

"ScriptAlert1.com – Concise Cross-Site Scripting Explanation in Multiple Languages"

. Lock Me Down | Security for the Everyday Developer. February 6, 2015. Retrieved October 24, 2015.

"Preventing XSS in ASP.NET Made Easy"

. The Web Application Security Consortium. October 13, 2005. Retrieved October 24, 2015.

"Cross Site Scripting"

: XSS, Testing for XSS, Reviewing Code for XSS

OWASP

XSSed: Database of Websites Vulnerable to Cross-Site Scripting Attacks

$_$_$DEEZ_NUTS#2__titleDEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#2__subtextDEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#2__quote--0DEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#2__name--0DEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#2__company_or_position--0DEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#2__quote--1DEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#2__name--1DEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#2__company_or_position--1DEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#2__quote--2DEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#2__name--2DEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#2__company_or_position--2DEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#2__quote--3DEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#2__name--3DEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#2__company_or_position--3DEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#4__titleDEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#4__subtextDEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#4__quote--0DEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#4__name--0DEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#4__company_or_position--0DEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#4__quote--1DEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#4__name--1DEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#4__company_or_position--1DEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#4__quote--2DEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#4__name--2DEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#4__company_or_position--2DEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#4__quote--3DEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#4__name--3DEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#4__company_or_position--3DEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#4__quote--4DEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#4__name--4DEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#4__company_or_position--4DEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#4__quote--5DEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#4__name--5DEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#4__company_or_position--5DEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#4__quote--6DEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#4__name--6DEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#4__company_or_position--6DEEZ_NUTS$_$_$