This material was developed with funding from the
National Science Foundation under Grant # DUE 1601612
Cross-Site Scripting (XSS)
is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users.
Cross Site Scripting
Like the changing storyline of Little Red Riding Hood, code injection attacks change the storyline of existing programs or code. One such code injection attack is cross-site scripting (XSS).
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web sites or web applications. XSS enables attackers to inject malicious scripts into legitimate web sites viewed by other users in their browsers. When the page loads in the victim’s browser, the attacker’s malicious script will execute, most often without the user realizing or being able to prevent such an attack. The intent of these attacks is to steal information from, delete information from, compromise, or pwn the users computer.
is a hacker slang term derived from the verb own, meaning to appropriate or to conquer.
a program with a graphical user interface for displaying HTML files, used to navigate the World Wide Web.
is a computer program which the client runs in a web browser. Common web applications include webmail, wikis, instant messaging services and many other
By leveraging XSS, an attacker does not target a victim directly. Instead, an attacker would exploit a vulnerability within a website or web application that the victim would visit, essentially using the vulnerable website as a vehicle to deliver a malicious script to the victim’s browser.
Escaping User Inputs
performs data validation by only allow the user to input data of your expected type, otherwise it is discarded.
$value = $_POST['value’];
$value = db_fetch(‘SELECT value FROM table’);
is the testing of any input supplied by a user to prevent improperly formed data from entering an information system.
A second method to prevent your website from being vulnerable from the storyline changing via XSS is by validating input. Validating input is the process of ensuring a web application or website is rendering the correct data and preventing malicious data from doing harm to the site, database, and users.
Username Must be 10 characters or less
Password Must be in the 5 to 120 range
Sanitizing User Input
changing or escaping special characters maliciously inputted by a user to prevent improperly formed data from entering an information system.
And a final method to prevent your website from being vulnerable from the storyline changing via XSS is by sanitizing user input. Sanitizing user input is the process of checking user input before storing it in a database or using it for any other purpose to prevent malicious code injection.