Cross-site scripting
Table of Contents
Introduction to cross-site scripting
Target Audience
This document is intended for anyone who develops websites or is interested in web security topics. A background in HTML, JavaScript, and Document Object Model (DOM) would be helpful for some of the more technical details.
Don’t be evil
This document provides information that could be used to assess the security of a website against cross-site scripting vulnerabilities. Do not use what you learn here to test (or worse, attack) websites without permission from the website’s owner.
What is cross-site scripting and why should I care?
Cross-site scripting (XSS) is a security bug that can affect websites. If present in your website, this bug can allow an attacker to add their own malicious JavaScript code onto the HTML pages displayed to your users. Once executed by the victim’s browser, this code could then perform actions such as completely changing the behavior or appearance of the website, stealing private data, or performing actions on behalf of the user.
Don’t worry, we’ll show you what all this means, but before we dig deeper, let’s take a look at some interactive examples to see how it works.
A basic example
XSS vulnerabilities most often happen when user input is incorporated into a web server’s response (i.e., an HTML page) without proper escaping or validation.
Consider the search application below. Click on “Show demo” to load the application. This is a working demo application; so, you can interact with it–try searching for something. For your reference, we also included the App Engine source code–you can view the code by clicking on “Click to view application source code” link.