I've been reading about XSS and I made a simple form with a text and submit input, but when I execute <script>alert();</script>
on it, nothing happens, the server gets that string and that's all.
What do I have to do for make it vulnerable?? (then I'll learn what I shouldn't do hehe)
Cheers.
Indeed just let the server output it so that the input string effectively get embedded in HTML source which get returned to the client.
PHP example:
<!doctype html>
<html lang="en">
<head><title>XSS test</title></head>
<body>
<form><input type="text" name="xss"><input type="submit"></form>
<p>Result: <?= $_GET['xss'] ?></p>
</body>
</html>
JSP example:
<!doctype html>
<html lang="en">
<head><title>XSS test</title></head>
<body>
<form><input type="text" name="xss"><input type="submit"></form>
<p>Result: ${param.xss}</p>
</body>
</html>
Alternatively you can redisplay the value in the input elements, that's also often seen:
<input type="text" name="xss" value="<?= $_GET['xss'] ?>">
resp.
<input type="text" name="xss" value="${param.xss}">
This way "weird" attack strings like "/><script>alert('xss')</script><br class="
will work because the server will render it after all as
<input type="text" name="xss" value=""/><script>alert('xss')</script><br class="">
XSS-prevention solutions are among others htmlspecialchars()
and fn:escapeXml()
for PHP and JSP respectively. Those will replace among others <
, >
and "
by <
, >
and "
so that enduser input doesn't end up to be literally embedded in HTML source but instead just got displayed as it was entered.
Have the server output the input back to the client.
You should "inject" the script. So if you have a text-input, you should put in the form:
" /> <script>alert();</script>
This way you first close the attribute of the existing HTML and then inject your own code. The idea is to escape out the quotes.
Three simple things:
- If you're not outputting untrusted data to the page at some point there is no opportunity for XSS
- All your untusted data (forms, querystrings, headers, etc) should be validated against a whitelist to ensure it's within an acceptable range
- All your output to the screen should be endcoded with an appropriate library (ie Anti-XSS for .NET) onto the appropriate language (HTML, CSS, JS, etc).
More info with examples in OWASP Top 10 for .NET developers part 2: Cross-Site Scripting (XSS).
Google made a really awesome tutorial that covers XSS and other security vulnerabilities here. It can help you understand how these issues are exploited in real applications.