Cross-Site Scripting

Cross-site scripting attacks are considered as type of injection wherein malicious scripts are being injected into the other benign as well as trusted web sites. This would occur once a certain attacker uses a web application in order to send malicious code which is particularly in the form of a browser side script up to a different end user. The flaws that allow the said attacks to be successful are quite widespread and so occur anywhere as web application would use input coming from a user within the output that it generates even without encoding or validating it.

A certain attacker might also use cross-site scripting in sending malicious script into an unsuspecting user. The browser of the end user has no way to know which the script must be trusted and might execute the script as well. Since it thinks that the certain script came from a certain trusted source, this malicious script could access any session tokens, cookies and some other sensitive information being retained by the browser and being used with the site. The said scripts could even rewrite the content into the HTML page. In simpler form, cross-site scripting could happen once data enters the web application by untrusted source most particularly a web request and also once the data is being included within dynamic content which is sent into a web user having not to validate the malicious content.

Two Types of Cross-site Scripting

  • Server XSS – this occurs once untrusted user has supplied data that is included in an HTML response being generated by the server. The data source might be from the request or could be from stored location. In such case, the entire vulnerability is into the server-side code as well as the browser is simply rendering the response as well as executing any of the valid script being embedded into it.
  • Client XSS – this occurs once untrusted user-supplied data is being used in order to update the DOM along with unsafe JavaScript call. This JavaScript call is known to be unsafe once it could be used in introducing valid JavaScript in the DOM. The data source might be from DOM or it might have sent through the server. And the ultimate source of data might have been from the request or coming from the stored location into the server or client.

So how does this cross-site scripting works?

In order to run a certain malicious JavaScript code into the browser of the victim, the attacker should first look for a way in injecting a payload into a web page which the victim then visits. An attacker might as well utilize social engineering techniques in order to convince the user to have a visit into a vulnerable page being injected with JavaScript payload. And in addition, for the XSS attack to happen the vulnerable site must directly include the user input into the pages. An attacker might then insert a string which will be used into the web page and so treated as code by the browser of the victim.