First off, let me start with a little disclaimer. This blog is for educational purposes only. I am by no means an expert XSS exploiter or an experienced web developer. I just like to mess around on the internet. If you came here to learn how to exploit XSS, you came to the wrong place. I will not be naming websites or showing the actual XSS used. No websites were harmed in the making of this blog.
So what is XSS? Well, let's quote wikipedia on that one: "Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users.". Does that make it clear? No, didn't think so. I'll try to explain using some real world examples.
As you may or may not know, the most basic language used to create websites is HTML. HTML contains everything a browser needs to know to display a website. It has the style, content and everything else in one file. The browser interprets this file and builds the website for you to browse. Now, some websites also have inputs available for their viewers. Think of things like contact forms, guestbooks, stuff like that. This is where the basics for XSS lie.
When you enter text into an input field and click "Submit", the data is sent to the webserver, who in turn gives your browser a new HTML file with the text you entered processed in it. So if you have signed the guestbook and posted "Great website!", that will show as the latest entry in that guestbook. That means that text is now somewhere in the HTML file. So what if you paste HTML into that text field, can you alter the website? Yes, and that's exactly what XSS is.
When you paste HTML code into an input form on a website that does not properly trim the input, you can "break open" the form and change the layout of the website itself. An example of a guestbook that is vulnerable to XSS exploiting:
This is your typical guestbook. You enter a name, a code to prove you're human, and your message. But what happens if you insert a prepared XSS string? Well then you can add pretty much anything you want outside of the input fields:
As you can see I have succesfully changed the lay-out of the website to show a big "Hello World" underneath the "Your Name:" field. While this change is only visible to me, and not dangerous to the website and it's users, it's still an opening. If I were to post this on the guestbook, all of the visitors to that website would see the broken lay-out.
The thing is, although this all sounds very complicated and high tech, almost everyone can do it. Here are some examples of exploitable sites I found on google when searching for "sign guestbook" on the first two or three pages:
Nice collection right? Like I said, I will not be naming these websites, but trust me when I say that some of these examples are not small, private websites. Some are actually quite large with a lot of visitors. A better known example of XSS recently is this twitter exploit where people managed to use XSS to create a self spreading "virus" on Twitter.
So how do you protect yourself from XSS? Well, first of all, make sure that your website is correctly sanitizing inputs. Don't put simple input forms everywhere and expect for them to be secure.
The point of this blog is to create awareness among web designers to properly secure their websites and make sure that XSS is not possible. With properly executed XSS, anything is possible. As XSS is becoming more and more popular, more and bigger sites will get attacked. In the end, this is what a web designer wants someone using XSS exploits to see: