Cross-site Scripting (XSS)

From OWASP
Revision as of 17:44, 13 April 2006 by Jeff Williams (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search



Overview

Cross-site scripting attacks are an instantiation of injection problems, in which malicious scripts are injected into the otherwise benign and trusted web sites.

Consequences

  • Confidentiality: The most common attack performed with cross-site scripting involves the disclosure of information stored in user cookies.
  • Access control: In some circumstances it may be possible to run arbitrary code on a victim's computer when cross-site scripting is combined with other flaws

Exposure period

  • Implementation: If bulletin-board style functionality is present, cross-site scripting may only be deterred at implementation time.

Platform

  • Language: Any
  • Platform: All (requires interaction with a web server supporting dynamic content)

Required resources

Any

Severity

Medium

Likelihood of exploit

Medium

Avoidance and mitigation

  • Implementation: Use a white-list style parsing routine to ensure that no posted content contains scripting tags.

Discussion

Cross-site scripting attacks can occur wherever an untrusted user has the ability to publish content to a trusted web site. Typically, a malicious user will craft a client-side script, which - when parsed by a web browser - performs some activity (such as sending all site cookies to a given E-mail address).

If the input is unchecked, this script will be loaded and run by each user visiting the web site. Since the site requesting to run the script has access to the cookies in question, the malicious script does also.

There are several other possible attacks, such as running "Active X" controls (under Microsoft Internet Explorer) from sites that a user perceives as trustworthy; cookie theft is however by far the most common.

All of these attacks are easily prevented by ensuring that no script tags - or for good measure, HTML tags at all - are allowed in data to be posted publicly.

Examples

Cross-site scripting attacks may occur anywhere that possibly malicious users are allowed to post unregulated material to a trusted web site for the consumption of other valid users.

The most common example can be found in bulletin-board web sites which provide web based mailing list-style functionality.

Related problems

  • Injection problems
  • Invoking untrusted mobile code

Categories