This is part two in a list of articles in which I'm trying to detail the OWASP Top 10 vulnerabilities. (see intro)

What is Cross Site Scripting? Cross Site Scripting or XSS is an attack on a website in which an attacker sends text based attack scripts which are executed within the browser. Apparently about 80% of all security vulnerabilities were as of the result of XSS. link This means that they are a special form of a code injection attack.

As a simple example, an attacker can post on a forum a javascript function which will cause any visitor to download malware if the post is not validated. The lists of problems are endless though - Redirects to a phishing site, hijacked sessions, hijacked browsers or simply defaced websites.

The attack vectors aren't always entered into a text box on a website though - They can come from any source - web services, databases, XML files etc.

There are basically two different classifications of XSS - Persistent and non-persistent.

This is the most common type of vulnerability. These can occur when a web page redisplays a string typed into a text box without validating or escaping the content. A common example of this is when a search parameter is displayed on a result page. A properly constructed script entered into the search bar could allow an attacker to step outside of the security context to execute a script. The implication of this kind of attack isn't necessarily that obvious at first glance as an attacker can only compromise their own security by entering the query into a site. However if an unsuspecting user clicks on a link which directs them to the vulnerable site and passes through the attack string, the code can execute in their browser. Even though the website wasn't "hacked", it still could be used as a agent to cause harm to others.

The earlier mentioned example of unsanitised postings to a forum which in turn cause harm to other visitors is and example of a persistent attack. Any subsequent visitor to the page could execute the script as it's stored on a long term basis. Social networks provide a very interesting case where it could be possible to create a script which is if run in Facebook for example, posts a message to a user's friend's "wall". Then once somebody reads it, it could again promulgate to their friends. This is an example of a client-side worm and with 500+ million people on Facebook, it could quite easily be a huge problem. On October 4 2005, Samy worm hit MySpace and infected over 1 million people within 24 hours.

So... Now that you know some of what it's about, how do you protect your systems from being part of an attack?
Firstly, you have to find all sources of untrusted data. This could be data from your own database, web services, text controls on a website, URL parameters, uploaded text files etc. Now that you've determined all the possible places that an attack vector could come from, ensure that any output is properly escaped. This means that any HTML significant characters such as < > / ' ' < <!-- --> & etc, are converted to a different format which the browser cannot confuse. Therefore any malicious script entered into a text box and outputted to the browser cannot be mistaken for script to execute. For an interesting on-line tool, have a look at: There are numerous libraries available for virtually every language, so search the Net for an appropriate one - A good place to start is the OWASP site.

Some interesting XSS examples:


Twitter Delicious Facebook Digg Stumbleupon Favorites More