Cross site scripting

Cross-site Scripting (XSS) is an injection attack too. This is a client-side attack that the attacker aims to execute malicious scripts in a web browser of the victim by including malicious code in a legitimate web page or web application.

Let's go back to our simple example. When a signed in user visits the homepage i.e. /, she is displayed with a page with textbox and a Search button where she can supposedly search among some content. To get a sense of how XSS work in its simplest form, go ahead and add a file named index.js under a new subfolder js under public, and write the following in it:

function keywordChanged() {
document.getElementById("keywordDisplay").innerHTML = "Keyword is " + document.getElementById("keyword").value;
}

Then, add to index.html. Finally, add onchange="keywordChanged()" as a new attribute to the keyword text field. Whenever the keyword changes, the keywordChanged function gets called which is implemented in index.js. The keywordChanged function displayes "keyword is " followed by whatever the user types in. This again all makes good sense, but what if a malocious user uses that textbox to enter some raw html content. Let's give it a try: type in the text box <a href="dangerous link">some keyword</a>. A link should show up on the page that could potentially redirect the user to a dangerous place if clicked.

This is just a very simple example where a user can mess with what gets diplayed to himself/herself. Imagine that, however, this can turn into a powerful very dangerous type of attack if the script gets sent (and/or stored) in the server and rendered on other users's browsers.

Edit this page