Cross-site scripting (also referred to as XSS) is one of those pesky Web security problems that's been around forever. It just never seems to go away. It affects the majority of Web applications I look at and, based on hack attack stories we see in the news, it appears that it's still a widespread problem. Seemingly too complex an issue for many developers to understand, XSS is actually pretty straightforward.
When XSS is successful, the following can occur:
- Cookies can be manipulated or stolen from the victim's browser.
- The history list can be read from the victim's browser.
- The local IP address of the victim's computer can be determined.
- The user can be socially-engineered (or phished) into divulging Web site login credentials.
All of this information can be captured via the Web server's log files or even sent to a third-party site.
- Entering an alert, such as
This is the easiest and most basic way to test for XSS. The expected result would the Web browser reflecting back the script you input, like the following:
- Entering a cookie command, such as <script>document.write(document.cookie)</script>
In the grand scheme of Web security vulnerabilities, XSS attacks are pretty basic. They just follow the tried and true assumption that Web applications don't provide good input validation and users can be easily lured in to do whatever. In my follow-up to this tip, I'll give you some real-world examples of Web sites with XSS vulnerabilities and show exactly what can happen when they are exploited.
About the author: Kevin Beaver is an independent information security consultant, keynote speaker, and expert witness with Atlanta-based Principle Logic, LLC where he specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator and author of the Security On Wheels blog and information security audio programs providing security learning for IT professionals on the go. Kevin can be reached at kbeaver --at- principlelogic.com.
This was first published in January 2008