A web application's output is rendered as a web page. If user input is included in the web application output, then it is also rendered as a part of the web page. If user input is included in output without being validated and encoded, a cross-site scripting (XSS) vulnerability results. In that case, an attacker can modify the output web page to include malicious script, which is then executed by the browser that views the vulnerable page. XSS applies to all web applications. To prevent XSS, validate all input and encode input included in output. To check for this flaw, find all code that includes user input in output, and verify that user input is sufficiently validated and properly encoded.
There are two primary types of XSS: persistent and non-persistent. If the attacker is able to inject their malicious script into the web applications data store, then the script will be persistent and anyone who loads a page with that content will run the script and become a victim of the attack. Non-Persistent XSS uses some reflective aspect of the page to deliver the payload.
To prevent this vulnerability, validate all input, and encode all input that is included in output.
Validate all input:
Encode input included in output:
To check for adequate protection against this vulnerability, ensure that all input is validated, and that all input included in output is encoded.
All input is validated:
Input included in output is encoded:
Computer Based Training Links
Use the following Computer Based Training course(s) for more background information about this type of vulnerabilities.
OWASP Top Threats & Mitigations
This course examines in depth the vulnerabilities, threats, and mitigations described in the OWASP Top 10 2013. Upon completion of this class, participants will be able to identify and mitigate the greatest threats that web application developers face, including: Injection, Broken Authentication and Session Management, Cross-Site Scripting (XSS), Insecure Direct Object References, Security Misconfiguration, Sensitive Data Exposure, Missing Function Level Access Control, Cross-Site Request Forgery (CSRF), Using Components with Known Vulnerabilities, and Unvalidated Redirects and Forwards.
Introduction to Cross-Site Scripting
As part of the Web development team, you are aware of the importance of securing your application against vulnerabilities that could put users at risk. Cross-site scripting vulnerabilities are extremely common as they affect seven out of ten Web applications. These vulnerabilities can have dire consequences such as allowing attackers to steal or tamper with sensitive data. In order to avoid creating insecure code, you need to understand the mechanisms behind cross-site scripting vulnerabilities.
Valid login credentials and enrollment in the course itself are required to access Team Professor content. If you need login credentials, please contact firstname.lastname@example.org for help.