Cross-site Scripting (XSS) is an injection attack too. This is a client-side attack that the attacker aims to execute malicious scripts in a web browser of the victim by including malicious code in a legitimate web page or web application.
Let's go back to our simple example. When a signed in user visits the homepage i.e.
/, she is displayed with a page with textbox and a
Search button where she can supposedly search among some content. To get a sense of how XSS work in its simplest form, go ahead and add a file named
index.js under a new subfolder
public, and write the following in it:
Then, add to
index.html. Finally, add
onchange="keywordChanged()" as a new attribute to the keyword text field. Whenever the keyword changes, the
keywordChanged function gets called which is implemented in
keywordChanged function displayes
"keyword is " followed by whatever the user types in. This again all makes good sense, but what if a malocious user uses that textbox to enter some raw html content. Let's give it a try: type in the text box
<a href="dangerous link">some keyword</a>. A link should show up on the page that could potentially redirect the user to a dangerous place if clicked.
This is just a very simple example where a user can mess with what gets diplayed to himself/herself. Imagine that, however, this can turn into a powerful very dangerous type of attack if the script gets sent (and/or stored) in the server and rendered on other users's browsers.