OWASP WebGoat Series - Cross-site Scripting

Authentication Logo

Cross-site Scripting (XSS)

Cross-site Scripting (also known as XSS) is a vulnerability/flaw that injects malicious scripts. XSS occurs when attackers send malicious code in form of a browser side script. This flaw can be used anywhere in a web application that takes input from a user without validating or encoding it. Malicious scripts can access sensitive information that is otherwise retained by the browser (cookies and session tokens).

Basic XSS test:

<script>alert("1")</script>

Common used locations

Here are the most common locations where XSS are abused:

Successful XSS attacks

Ultimately, why should we care about XSS? Well because the results of a XSS attack can:

Types of XSS

Now that we udnerstand commonly used locations where XSS are used, and the outcome of successful XSS attacks. We can then define the types of XSS attacks that can occur.

Reflected

DOM-based (technically reflected)

malicious content from a user request is used by client-side scirpts to write html to its own page

Stored or Persistent