Web Security

Web Security Introducing Cross-Site Scripting (XSS)

Learning Paths:
Check out a free preview of the full Web Security course:
The "Introducing Cross-Site Scripting (XSS)" Lesson is part of the full, Web Security course featured in this preview video. Here's what you'd learn in this lesson:

Mike introduces Cross-Site Scripting (XSS), which occurs when attackers inject client-side scripts into web pages viewed by other users.

Get Unlimited Access Now

Transcript from the "Introducing Cross-Site Scripting (XSS)" Lesson

[00:00:00]
>> Mike North: The first client side attack we're gonna talk about is probably the most prevalent. It's called cross-site scripting. Cross-site scripting begins with an X because CSS already means something for front end developers. This category of attacks is called an injection attack where we're basically like, we're putting content in a place that is designed for text, but we can basically trick a system into treating it as code and executing it.

[00:00:33] We're allowing our content to become code and to be executed. Cross-site scripting vulnerabilitiesare are extremely prevalent. It's difficult to pin down exactly what the number is, like what percent of websites are vulnerable to this kinda thing. Cuz most of the data comes froms firms that are selling penetration testing services and it is in their interest to say that like the number is 70%.

[00:00:57] It is very, very high. The number is very high. It is, if i had to give you a minimum number I'd say like more than 30% of sites are vurnerable to this kinda thing in one way or another. It may not be the most obvious thing but you can get some browsers to execute code some of the time.

[00:01:22] Particularly older ones. And once this happens, depending on what user you compromise, if you compromise an administrator this could be like full system control. That is the consequence of this attack. Cuz they can create other admin users, sometimes they can run reports. And if it's a poorly built reporting system, they'll allow arbitrary queries to run on a database and drop tables.

[00:01:48] Drop all tables is a pretty simple query to run that would just melt everything down. And now you're trying to restore from last backup hoping you can pin down exactly what just happened. So let's look up here, so we're gonna be using the app. The Equihax app is a server-rendered app.

[00:02:10] We're not using React, or Angular, or Ember or anything like that. We have an express server and Node.js which is rendering HTML, which the browser reads. And we're using something called EJS, which is called embedded JavaScript. And it just basically means that between the percent signs we can have a JavaScript expression that is interpolated with our HTML.

[00:02:30] So here we'd say it welcome name and if the name is Mike, it says welcome Mike. And this is great, but what if my name ends up being this like what ends up happening is the browser will treat it as code, and it'll execute that, and now it's just a matter of me getting someone else to see my name on their page, maybe using some social engineering.

[00:02:53] Getting into a chat system and come up with the username that looks like a boss or an IT help, like professional. Please, click on this link. Can you do me a favor? I'm a new employee. Can you click on this and see of it works? And it'll be to a domain that they're used to.

[00:03:09] You'll look at that link and it'll seem fine. This isn't someone trying to phish you. It's not a fake site. But it's a particular page within a site where I've managed to inject my own code. And now, we can do whatever the application can do, this can do now.