Thursday, December 8, 2011


  • What is XSS ?
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications that enables attackers to inject client-side script into Web pages viewed by other users.

In the previous post I've discussed Persistant (Stored) and Non-persistant (Reflected) XSS, used to hijack the user session. Today I'll discuss how to attack the Web application through Stored Cross-site scripting.

  • Example:
The following is the simple guestbook script where the users can put name and message that will be stored in the guests table of the guestbook database and then displayed.

Script Code:

<h1>Guestbook page:</h1>
<form action='guestbook.php' method='post'>
<p><label for="name">Name:</label><br />
<input type="text" title="Enter your name" name="name" /></p>
<p><label for="message">Your message:</label><br />
<textarea title="Enter your message" name="message"></textarea></p>
<p><label title="Send your message">
<input type="submit" value="Send" /></label></p>

mysql_select_db("guestbook", $con);
mysql_query("INSERT INTO guests VALUES ('','$name','$message')");
$result=mysql_query("SELECT * FROM guests ORDER BY id DESC");
while($row = mysql_fetch_array($result))
echo $row['name'] . " : " . $row['message'];
echo "<hr />";

If I put name as Rajat and message as Hello everybody !!! in the form, it would look like this :

Now a malicious attacker put the following JavaScript snippet as part of the guestbook message which will result an alert box by the browser:

Script Code:

<script>alert("Guestbook page XSSed !!!")</script>

Which means the attacker has been able to insert a script in the application that is later executed in the context of another user.

Moreover the attacker can deface the website by putting the following code which will open a new browser window consisting the defacement page.

Script Code:

<script type="text/javascript">"", "_self");

  • Protection :
1. The script used in the guestbook page is not able to sanitize the inputs, most importantly the control characters like (< , >). That's why instead of displaying those inputs, it is executing them. In order to sanitize the inputs properly we can use the htmlentities() function converts characters to HTML entities as follows:


Now if the attacker put the previous JavaScript, it will be displayed without being executed by the browser like this:

2. Acunetix Web Vulnerability Scanner (WVS) Free Edition offers the functionality for anyone who wants to test their own application for Cross Site Scripting.

Happy Hacking...Enjoy...

For educational purpose only...Do not misuse it...