Web Security : What are XSS?

XSS (Cross Site Scripting) are a kind of attacks which are fairly popular these days and could target anyone, but are not nearly well known from most people.

In this post, I’ll try to give a short explanation of what they are.

XSS : the principle

Simply put, a XSS (or Cross Site Scripting, not to confuse with CSS, Cascading Style Sheets) happens when a website accepts user contributed content (ex : posts, message on a forum, comments, nicknames, profile informations, …) and then displays it without proper validation or filtering.

A malicious user could then submit a content including javascript, which would in turn get executed by any user displaying this content in his browser.

XSS : An example

For an example, imagine a social networking website where javascript would be improperly filtered out of the user profiles.

Now imagine that a malicious user would setup his profile to contain a javascript piece of code which would add himself as a friend of someone viewing his profile.

A legit user would then authenticate himself on the social networking website, and browse profiles, passing by the malicious one, which would add the malicious user as a friend.

Well this is not just a fictious example. Something even worse happened.

Now imagine that the purpose is not to add someone as your buddy but to steal a session cookie to your banking website … freaky ?

XSS : What to do ?

As the developer of a web site where users are allowed to submit content, the lesson is simple : never trust user submitted content.

Any such content must be correctly filtered to remove any potential harmful characters. All languages used to develop web applications provide a function to escape HTML tags, which can be of great help to avoid XSS.