Web Security Web Security

Locations for XSS Attacks

Check out a free preview of the full Web Security course:
The "Locations for XSS Attacks" Lesson is part of the full, Web Security course featured in this preview video. Here's what you'd learn in this lesson:

Mike examines the locations of vulnerabilities in a web application for XSS attacks.

Get Unlimited Access Now

Transcript from the "Locations for XSS Attacks" Lesson

>> Mike North: So let's talk about places to look for cross-site scripting vulnerabilities, cuz it's overwhelming to think that this could happen across your entire app. Anywhere you have a WYSIWYG, which is a really long abbreviation for what you see is what you get. So this is the ability to add rich text as content to a particular area where you can say, you can drop an image tag here, right.

[00:00:25] Anywhere you have that it is a potential place where you can start experimenting and seeing if you can slip in any of a number of three or four dozen cross-site scripting attack techniques. Embedded content, so if you can drop an Iframe somewhere or if you can put an object, right, like a flash embed, those are cross-site vulnerabilities.

[00:00:50] Anywhere users have full control over a URL, that is a vulnerability potentially, right, because in much older browsers you can have a URL that begins with JavaScript: and then code follows that. And this is not the current version of Firefox and Chrome and Safari, this is older browsers, but imagine that you've allowed someone to even have a CSS background image.

[00:01:15] And the background image that the user has selected is JavaScript: and then some code, yeah, their image isn't going to render but by the time people see that it's too late, right. Anywhere that input is reflected back, like, I couldn't find x y z, right, anywhere that, whatever the user just typed it sent back.

[00:01:36] That is a potential place you could have a reflected cross-site scripting vulnerability. Anywhere query parameters are rendered into the DOM, that's a typical vector for a DOM-based cross-site scripting attack. And then innerHTML, that's element.innerHTML, that can be arbitrary HTML, and that's where you could just add a script tag, and that is an exceptionally easy one to exploit.