Josh-CO Dev

Solving the worlds problems one line of code at a time.

Basic Cross Site Scripting

Leave a comment


I was playing around with some cross site scripting demos to help educate our company about the importance of application security and thought that I would share one of my demos here. For those of you that are new to this, Cross Site Scripting, or simply XSS, is a web based vulnerability that allows a hacker to insert their own logic into your application. Many developers are prone to this attack and don’t even know it. Let’s illustrate.

Here is some basic html:

<!DOCTYPE html>

<html lang="en">
    <head>
        <meta charset="utf-8" />
        <title>XSS Testing</title>

        <script src="/jquery-1.8.1.js" type="text/javascript"></script>
        <script src="/Script.js" type="text/javascript"></script>
    </head>
    <body>
        <p>Enter your name: <input type="text" id="inputName">&nbsp<input type="button" value="Submit" id="btnSubmit"></p>

        <div id="Content">

        </div>
    </body>
</html>

If you know html, there is nothing crazy here. This just creates a simple form that has the text “Enter your name”, a text input, and a submit button. In my jquery call, “scripts.js” as linked above, I have this function:

    //xss
    $("#btnSubmit").click(function () {
        //alert($("#inputName").val());
        var htmlToRender = "Welcome to our site " + $("#inputName").val();

        $("#Content").html(htmlToRender);
    });

Again, pretty simple. This is a button click event handler on the submit button. All it does is take the user input and outputs it to the screen. This is what a lot of the internet does. Perform a search? It does the search and then outputs what you put in the search box to the screen. Same principle here.

What this is expecting is for a user to enter their name. Well, what if they enter something mischievious such as “<script>alert(“ha, I hacked your site”)</script> Josh”? Using this code you can try it. You will get an alert box that reads “Ha, I hacked your site”. But if you look at the screen after you click ok, it will say “Welcome to our site Josh.” This is actually one of the first tests that you make on a site to see if they are susceptible to XSS attacks.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s