XSS (Cross-Site Scripting)

What are Cross-Site Scripting Vulnerabilities?

25 min

Cross-Site Scripting (XSS) is a vulnerability that allows malicious JavaScript code to be injected into trusted web pages, thereby enabling the execution of malicious code in the browsers of users who visit the site.

XSS vulnerabilities arise when unreliable input is not handled properly, but is returned to the browser as it is, causing the browser to interpret it as code on the client side. Such input could be, for example, an open comment on a discussion forum.

The image below shows an example of what a successful XSS attack might look like. The attacker finds an XSS vulnerability on the website, saves malicious JavaScript code on the website, and when the user(s) visit the infected website, the code gets executed, allowing the attacker to steal the desired information.

Example of a Vulnerable Solution

Here is a PHP script that is vulnerable to XSS attacks.

echo &quot;<p> Search results for search: &quot; . $_GET(&#39;search&#39;) .&quot;</p> &quot;

It is vulnerable because it creates HTML code unsafely. The URL parameter search is not encoded correctly. An attacker can create a link like the following, which executes the attacker's JavaScript code on the website when the target opens it:

https://www.example.com/?search= <script>alert('XSS')</script>

Opening the link leads to the execution of the following HTML code in the user's browser:

<p>Search results for:<script>

XSS Vulnerabilities Categories

XSS vulnerabilities are often classified into categories based on the following:

  • Can a vulnerability be exploited in such a way that the malicious JavaScript code "remains" on the page, for example in a message on a discussion forum? This would be persistent, "stored" or "persistent" XSS.
  • Does the harmful code only reflect once when the target of the attack opens a maliciously formatted link? This is called "reflected" XSS.
  • Or regardless of these two, whether the vulnerability is solely in JavaScript code that, for example, dangerously handles browser URL anchors. These are usually referred to as DOM-based XSS vulnerabilities.

Different situations where XSS vulnerabilities occur

The vulnerability typically arises from one of the following reasons:

  • Inadequate encoding:The application generates HTML unsafely (parameterization without proper encoding).
  • WYSIWYG editors: The application allows users to directly edit the website's HTML code (e.g., WYSIWYG editors).
  • File uploads: The application allows users to send HTML/SVG files and serves them back dangerously.
  • Vulnerable components: The application uses outdated and vulnerable JavaScript libraries.
  • eval() and its counterparts: The application uses JavaScript unsafely by passing untrusted data into functions that execute code directly from a string (such as eval).
  • Links: The application allows users to set the HREF attributes of links without validating them against malicious URL addresses such as those starting with javascript:-.

XSS example

Finally, here is a practical example. Start the task and try entering HTML or JavaScript code into the textbox.

A few example inputs that can be used to identify vulnerabilities.

<h1>Text </h1><script>alert('tekstiä')</script><img src='' onerror='alert("tekstiä")'>
hakatemia pro

Ready to become an ethical hacker?
Start today.

As a member of Hakatemia you get unlimited access to Hakatemia modules, exercises and tools, and you get access to the Hakatemia Discord channel where you can ask for help from both instructors and other Hakatemia members.