Cross-site Scripting (XSS)
Cross-site scripting attacks are an instantiation of injection problems, in which malicious scripts are injected into the otherwise benign and trusted web sites.
- Confidentiality: The most common attack performed with cross-site scripting involves the disclosure of information stored in user cookies.
- Access control: In some circumstances it may be possible to run arbitrary code on a victim's computer when cross-site scripting is combined with other flaws
- Implementation: If bulletin-board style functionality is present, cross-site scripting may only be deterred at implementation time.
- Language: Any
- Platform: All (requires interaction with a web server supporting dynamic content)
Likelihood of exploit
Avoidance and mitigation
- Implementation: Use a white-list style parsing routine to ensure that no posted content contains scripting tags.
Cross-site scripting attacks can occur wherever an untrusted user has the ability to publish content to a trusted web site. Typically, a malicious user will craft a client-side script, which - when parsed by a web browser - performs some activity (such as sending all site cookies to a given E-mail address).
If the input is unchecked, this script will be loaded and run by each user visiting the web site. Since the site requesting to run the script has access to the cookies in question, the malicious script does also.
There are several other possible attacks, such as running "Active X" controls (under Microsoft Internet Explorer) from sites that a user perceives as trustworthy; cookie theft is however by far the most common.
All of these attacks are easily prevented by ensuring that no script tags - or for good measure, HTML tags at all - are allowed in data to be posted publicly.
Cross-site scripting attacks may occur anywhere that possibly malicious users are allowed to post unregulated material to a trusted web site for the consumption of other valid users.
The most common example can be found in bulletin-board web sites which provide web based mailing list-style functionality.
- Injection problems
- Invoking untrusted mobile code