What is Cross-Site Scripting ? | XSS Guide For Beginners

Cross Site Scripting or XSS is one of the most common web application vulnerability that allows an attacker to run his own client side scripts into web pages viewed by other users. It is a code injection attack that allows an attacker to execute malicious JavaScript in another user's browser. XSS is the most common security vulnerability in software today. In an XSS attack the attacker does not directly target his victim. Instead, he exploits a vulnerability in a website that the victim visits, in order to get the website to deliver the malicious JavaScript for him. To the victim's browser, the malicious JavaScript appears to be a legitimate part of the website, and the website has thus acted as an unintentional accomplice to the attacker.

An XSS vulnerability arises when web applications take data from users and dynamically include it in web pages without first properly validating the data. XSS vulnerabilities allow an attacker to execute arbitrary commands and display arbitrary content in a victim user's browser. A successful XSS attack leads to an attacker controlling the victim’s browser or account on the vulnerable web application. A successful XSS attack can lead to following problems :

  • Stealing the Identity and Confidential Data(credit card details).
  • Bypassing restriction in websites.
  • Session Hijacking(Stealing session)
  • Malware Attack
  • Website Defacement
  • Denial of Service attacks(Dos)
  • keylogging
  • Phishing attacks

Demonstration of XSS attack : 

If you have basic understanding of HTML, Javascript, HTTP Client-Server architecture and some basic knowledge about server side languages like php, asp, jsp, then you can easily understand how xss works. I highly recommend you to read about these topics :

HTML :   Reference
Javascript : Reference
HTTP Client-Server architecture : Reference
Server-Side Language : Reference

Cross site scripting is nothing but injection of client side scripts into a website. These scripts can be HTML scripts or JavaScript scripts. Now the question would be how can a person inject scripts on a running page. This can easily be done using all the various ways a website is collecting inputs. Cross site scripting can be performed by passing scripts in form of:
  • TextBox (input controls) 
  • Query Strings
  • Cookies
  • Session variables
  • Application variables
  • Retrieved data from an external or shared source

Now let us see some basic example of cross site scripting. For demonstration of XSS attack i am going to use Web For Pentester VM, it is nothing but a Vulnerable Machine to practice and learn about Web Application Security. To install Web For Pentester VM on your system please check my previous post here

The above web page accept a value as a name for the parameter name, then prints it on the page. Now if we provide crafted javascript code, then the webpage will also try to print it, but at this time our crafted javascript code or XSS payload will execute and show a message box on the browser.

payload :<script>alert(1)

alert() function is a javascript function which is used to show a dialog box with message. The <script>alert('Xssed')</script> is widely used javascript code to test for the xss vulnerability in web apps and also the easiest one, and at here the <script>/</script> tag is used to show the starting and ending of the javascript code. Now if we see the code of xssed webpage then it does not sanitized our provided data and just put it as it is in the page, and our browser will interpret it as javascript code.

This is very basic type of XSS vulnerability, where the developer of webpage will forget to check or sanitize the user supplied data, and just print them on page. This type of xss vulnerability is known as Reflected xss. There are three types of XSS vulnerability :
  • Reflected XSS
  • Stored XSS
  • DOM-Based XSS
We will look at these XSS types in next post.

Conclusion :

In this post we learn the basics of XSS vulnerability and saw an example of Reflected XSS. Now in next post we look at the types of XSS vulnerability with more details.


Reflected XSS : Click here
Stored XSS : Click here
DOM Based XSS : Click here