Cross-Site Scripting

Cross-Site Scripting (XSS) is the process of injecting malicious code into the target website. This can be done in several ways, but the end result is the user’s browser runs unauthorized code as themselves, within their current session.

Non-persistent XSS

This is the traditional type of XSS exploit. It involves injecting data into a site and then guiding users to the malicious content.

Say a page on your site takes ?page_num=2&per_page=50 as query string parameters. If you do not escape these parameters, an attacker can change their values to malicious code. This code could take the user to a delete page, run JavaScript in their browser, or perform any number of client-side attacks.

After injecting their malicious code, the attacker somehow gets a user to visit the page. When the user arrives, the application will verify their valid user session and execute the malicious code. A user could end up deleting their own account!

Persistent XSS

A persistent XSS exploit is stored permanently on the server. For example, a social sharing site like Facebook allows users to save messages and display them to other users. An attacker could store malicious code in a Facebook post. If Facebook did not properly escape this data when displaying it back to other users, that code would be executed. Thus, anyone that sees the attacker’s status would be running this malicious code.