An XSS (also known as Cross-Site Scripting) is a vulnerability that allows code injection (any language interpreted by a browser) into a website to change its way of displaying. It is mostly due to programming errors or too much confidence in a user's inputs.
14 days Free trial
No Commitment
There are two types of XSS vulnerabilities : Reflected XSS (or non-persistent) and Stored XSS (or persistent).
An XSS vulnerability would allow an individual to :
It is called non-persistent because it is not stored in a file or in a database. This type of XSS vulnerability does not store malicious content on the web server. For example, the content is delivered to the victim via a URL that contains it (sent by email or by other means).
Most web browsers have integrated in their latest versions an anti-XSS filter (Chrome, IE, Safari, Opera, Edge). It analyzes the rendering of a page sent by the server and removes any occurrence of javascript that would also be present in the client request. This protects users from a Reflected XSS but not from a Persistent XSS.
Example :
You are browsing a site allowing you to see the weather forecast for a given city. The name of the city is provided in the URL of the page via a parameter "GET", like this way: www.meteo.com/previsionsmeteo?ville=Montpellier
The forecast for the city of Montpellier will be displayed on the page returned by the server of the weather website. The hacker can use the same URL to provide malicious content like this way: www.meteo.com/previsionsmeteo?ville=Montpellier<script>alert(document.cookie) ;</script>
With such content in the URL, the web server will therefore display the weather forecast for Montpellier, but will potentially also include dangerous content in the page.
The persistent XSS vulnerabilty is the most dangerous one because it will be executed each time the site is loaded. In fact, the latter is stored either in a file or in a database. Let us take for example a discussion forum.
The attacker posts a message or comment containing malicious content. When other users visit the page, containing the fraudulent message or comment, this one is executed.
You are browsing a site allowing you to see the weather forecast for a given city. The name of the city is provided in the URL of the page via a parameter "GET", like this way: www.meteo.com/previsionsmeteo?ville=Montpellier
The forecast for the city of Montpellier will be displayed on the page returned by the server of the weather website. The hacker can use the same URL to provide malicious content like this way: www.meteo.com/previsionsmeteo?ville=Montpellier<script>alert(document.cookie) ;</script>
With such content in the URL, the web server will therefore display the weather forecast for Montpellier, but will potentially also include dangerous content in the page.
The most suitable solution against this vulnerability is to use the “htmlspecialchars()” function. This function allows to filter icons such as <, & or ", replacing them by their equivalent in HTML language. For instance :
You can also use PHP function "htmlentities ()": Converting characters into entities is often used to prevent browsers from using it as an HTML element. This can be particularly useful for preventing code execution when users can access to the display entry on a page.
Detect security flaws on your website or web application thanks to the Web Vulnerability Scanner of HTTPCS. This online security tool allows you to detect any flaws you have (top 10 OWASP, CVE and other vulnerabilities implemented in the robot) to ensure the best protection of your site on a daily basis. Easily schedule automated audits, discover your vulnerabilities and find out what patches to apply to avoid being hacked.
14 days Free trial
No Commitment
14-Day free trial
Request a demo
