What is cross-site-scripting?

Question

Possible Duplicate:
Can anybody explain XSS to an idiot?

First I ask is there an aboslute definition? I've done some Googleing and it seems like everyone says something different.

On SO one person says

An XSS vulnerability exists whenever a string from outside your application can be interpreted as code.

This sounds similar to a SQL injection but it attacks the web server, not the user?

Another

Cross Site Scripting basically is a security vulnerability of dynamic web pages where an attacker can create a malicious link to inject unwanted executable JavaScript into a Web site. The most usual case of this vulnerabilities occurs when GET variables are printed or echoed without filtering or checking their content.

Again it sounds like someone would mess with the URL to put malicious code into GET passed variables but wouldn't this be like attacking one's self?

This article was at the top of a Google search but it seems to beet around the bush and not define anything. It implies XSS is done usually with JavaScript, is this true?

Answer 1

First I ask is there an aboslute definition?

Is there an absolute definition of anything these days? You will find most definitions for XSS say the same thing in the end. XSS is essentially injecting malicious scripts through un-sanitized user input.

Have a look at these two animations: XSS Animation 1 and XSS Animation 2

This sounds similar to a SQL injection but it attacks the web server, not the user?

XSS scripts are generally executed in the clients browser and attacks the user (I'm not saying it cannot be detrimental to the server as well)

Again it sounds like someone would mess with the URL to put malicious code into GET passed variables but wouldn't this be like attacking one's self?

You could share the unsafe URL with others who use the website. Maybe it is as simple as a facebook link that results in the person sending all of their personal information to you.

It implies XSS is done usually with JavaScript, is this true?

Yes. For example: enter this into a sites form, <script>alert('xss');</script> . If you see an alert with xss, the site is vulnerable. From there you are limited by your imagination and expertise.

Myspace was a bloodbath in regards to XSS. Look up the Sammy worm. It will surprise you how many people/companies ignore XSS (and security in general). I worked for a company where you could easily write a simple XSS worm that would erase all of the users data (on the website), and subsequently delete all of their contacts data as well, thus eventually deleting everyones data. This involved calling the applications API on behalf of the user within JS. General rule, never trust user input.

Answer 2

XSS is a flaw that occurs only on sites that dynamically generate pages. Web sites with Static pages are not vulnerable to XSS. It is an injection of html or javascript code for the web server to reflect to a client or the client browser to execute; but it is not the injection of SQL statements as in SQLi where it has a DB at the back end.

XSS flaws are of three types.

• Persistent - User input consists of malicious software code that gets stored in the web application, and gets rendered thereafter in every request to read that along with piece of data.

• Non-Persistent - User input consists of malicious code that get returned in server's response to the request, it doesn't get stored in the web app so it is specific to that request.

• DOM-based - This does not involve web server, it is local to the web browser. I think this is what you are looking for.

Check out this link for good explanation on XSS. To avoid XSS you must perform input validations.