Cross Site Scripting (XSS)
Cross site scripting is another vulnerability commonly seen in HTML markup implementations. The idea is that the HTML contains the direct input from the request, either via form submission or URI parameter.
Description
Description
Notice that for each item and the link, there is an URI parameter input.
<ul>
<li><a href="message.cgi?say=Hello">Say Hello</a>
<li><a href="message.cgi?say=Welcome">Say Welcome</a>
<li><a href="message.cgi?say=Kittens">Say Kittens</a>
</ul>
If the server does not validates those parameters and print as it is, attacker can perform attack by making the following request:
http://example.com/message.cgi?say=%3Cscript%3Ealert%28%27Oh%20no%21%27%29%3C/script%3E
This can create unknown havoc to the server.
Potential Attacking Models
Potential Attacking Models
SQL Injection
SQL Injection
One type model is SQL injection: by injecting SQL instructions. This includes data extractions, create bypass or even destroy databases depending on the attacker's intention.
Service Shutdown / Destruction
Service Shutdown / Destruction
Sending instruction to cause service destruction and sabotage.
Best Practices
Best Practices
To counter this vulnerability, we practice:
- Practice not trusting user inputs and always validates all user inputs.
- Isolate server side and user inputs values from both form submission and URL parameters types.
- Comply every HTML page to: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
- Comply every JavaScript intensive HTML page with: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet and https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet