Cross-Site Scripting (XSS)

XSS attacks exploit trust that users have in a website by injecting malicious code.

Attack types

• Reflected XSS: Malicious script in URL parameters, reflected back in response.
• Stored XSS: Malicious script stored in database, executed when page loads.
• DOM-based XSS: Client-side JavaScript manipulates DOM unsafely.
• Mutation XSS: Exploits browser parser quirks and mutations.

Common attack vectors

• Form inputs and search boxes.
• URL parameters and query strings.
• HTTP headers (User-Agent, Referer).
• File uploads with user-controlled content.
• Third-party widgets and embedded content.

Impact

• Session hijacking (steal cookies/tokens).
• Credential theft via fake login forms.
• Malware distribution and phishing.
• Defacement and content manipulation.
• Keylogging and user monitoring.

Prevention

• Input validation: Whitelist allowed characters and patterns.
• Output encoding: HTML-encode all untrusted data before rendering.
• Content Security Policy (CSP): Restrict script sources.
• HttpOnly cookies: Prevent JavaScript access to session cookies.
• X-XSS-Protection header: Legacy browser XSS filter.
• Framework auto-escaping: Use template engines that escape by default.

Testing

• Try common payloads: <script>alert(1)</script>
• Test encoding bypasses: URL encoding, Unicode, etc.
• Check contexts: HTML, JavaScript, CSS, URL.
• Use automated scanners and manual testing.

Real-world examples

• MySpace Samy worm (2005): Spread via XSS, infected 1M users.
• Twitter XSS (2010): Spread via hovering over tweets.
• British Airways (2018): Data breach via XSS injection.