Cross Site Scripting-page-1

The second most commonly exploited web vulnerability is Cross Site Scripting (SQL Injection being the first). Cross Site Scripting, also known as XSS is a injection type web application vulnerability, which occurs mainly when a web application allows the user supplied data to be actively displayed and rendered on a webpage without proper escaping or encoding.

 Unlike SQL Injection, this vulnerability affects the user instead of the web application. In this chapter, we will understand what Scripting is, and then move on to Cross Site Scripting Attacks.


Gone are the days when the websites were pure static pages in pure HTML pages. Present day websites are driven by dynamic content, with JavaScript (or VBScript) being used along with HTML.  Scripting is enabled by default in most of the browsers, to have a better sense of interaction with the user.

The JavaScript is run at the client side on the browser to provide interactivity to the user.

However, in some cases, it may pose as a security risk too, where malicious scripts are embedded on behalf of legitimate website, to compromise the user’s security.

Lets take a legitimate example, where the content of  a webpage is modified using Javascript :



<script type="text/javascript">

function hello(){

document.write("Hello World");





<h1>Test Web Page</h1>

<button type="button" onclick="hello()">Hello</button>



When the web browser would run the webpage, we would get the webpage to be like this.

On clicking the button, it will display a text “HelloWorld”. This is the most basic example of Scripting using Javascript functions.

Just like this example, in Cross Site Scripting attacks, a script is used to perform malicious actions on behalf of the user. To add more, the spams, which you get to see on famous Social Networking websites these days, most of them are an example of XSS.


<< Prev | Next >>

Home | Notes Catalog | Privacy & Terms | About us | Contact us | Site map |     Copyright © 2016.                                     Template by