DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
  1. DZone
  2. Testing, Deployment, and Maintenance
  3. Testing, Tools, and Frameworks
  4. Cross-Site Scripting for Fun and Profit

Cross-Site Scripting for Fun and Profit

Knowing how to protect your web app from cross-site scripting is crucial, as is understanding how they work. Read on for some tips.

Hakon Olsen user avatar by
Hakon Olsen
·
Apr. 21, 17 · Tutorial
Like (2)
Save
Tweet
Share
7.76K Views

Join the DZone community and get the full member experience.

Join For Free

Still one of the most common vulnerabilities in web applications, XSS (cross-site scripting) still serves as a useful point of attack for hackers. If you are a web developer, knowing how to properly protect your application from these attacks is a must.

Don’t leave your app open to attack – injection vulnerabilities are not nice.

Cross-site scripting vulnerabilities exist when the user input in web forms or in API calls are not properly escaped and sanitized before it is used. Directly reflecting user input back to the browser can be a sketchy practice. If the user inputs JavaScript into a form input field, and that script executes, then you have a vulnerability that hackers can take advantage of.


There are two ways users can give input to a web page: through web forms, and through URL parameters (usually by clicking links on the page). Both input types are interesting injection points for someone looking to exploit your page.

Modern web applications seek to filter out this type of input. OWASP has put together a large selection of attack vectors for XSS exploits that try to bypass these filters. You can see the list here.

To manually test your own applications you can try the following input strings:

  • <script>alert()</script>: usually, doesn’t work. 
  • <img src=x onerror=alert()>: this is typically stored as an XSS exploit, typically in the comment functionality, etc. If code pops up an alert when you reload the page, you have successfully injected JavaScript into the page that will be used by others too. Now you can just go ahead and change the alert with a more evil kind of thing, like a redirect to your phishing site of choice (don’t do it, it really is evil - and illegal).
  • In URL parameters: data:html,alert() or data:text/JavaScript,alert(); or JavaScript:alert()

The URL manipulation is typically used in links supplied in scam emails, etc. It makes your code execute within the context of the web application, and is often used to steal session data.

Avoiding XSS as a Developer

There are several things you can do as a developer to avoid these vulnerabilities. The best way is to use a framework/templating system that auto-escapes dangerous inputs for you. Most modern web frameworks will do this for you, as long as you enable the right middleware!

You should also test for vulnerabilities, including XSS. You can do this manually by trying to inject strings like the ones above, and you can use a vulnerability scanner. Allow someone else to look at your code to try and find weaknesses – it is harder to see errors when you have made them yourself! You should use multiple test methods when available, and also consider including security tests in unit testing for your code.

Some takeaways:

  • Also, big league players have XSS vulns on their sites. See this Register story from 2014 on a plugin bug for WordPress, affecting most of the platform (2014).
  • XSS will allow hackers to attack your users. You are partially to blame if this was possible due to neglect on your behalf. Right? And your customers would get angry.
  • Web application frameworks deal with this in a good way. It is very hard to write context-aware escaping manually, so stick with a framework!
Web application unit test

Published at DZone with permission of Hakon Olsen, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Deploying Java Serverless Functions as AWS Lambda
  • How Do the Docker Client and Docker Servers Work?
  • API Design Patterns Review
  • Top 12 Technical Skills Every Software Tester Must Have

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: