Thursday, December 8, 2011


  • What is XSS ?
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications that enables attackers to inject client-side script into Web pages viewed by other users.

In the previous post I've discussed Persistant (Stored) and Non-persistant (Reflected) XSS, used to hijack the user session. Today I'll discuss how to attack the Web application through Stored Cross-site scripting.

  • Example:
The following is the simple guestbook script where the users can put name and message that will be stored in the guests table of the guestbook database and then displayed.

Script Code:

<h1>Guestbook page:</h1>
<form action='guestbook.php' method='post'>
<p><label for="name">Name:</label><br />
<input type="text" title="Enter your name" name="name" /></p>
<p><label for="message">Your message:</label><br />
<textarea title="Enter your message" name="message"></textarea></p>
<p><label title="Send your message">
<input type="submit" value="Send" /></label></p>

mysql_select_db("guestbook", $con);
mysql_query("INSERT INTO guests VALUES ('','$name','$message')");
$result=mysql_query("SELECT * FROM guests ORDER BY id DESC");
while($row = mysql_fetch_array($result))
echo $row['name'] . " : " . $row['message'];
echo "<hr />";

If I put name as Rajat and message as Hello everybody !!! in the form, it would look like this :

Now a malicious attacker put the following JavaScript snippet as part of the guestbook message which will result an alert box by the browser:

Script Code:

<script>alert("Guestbook page XSSed !!!")</script>

Which means the attacker has been able to insert a script in the application that is later executed in the context of another user.

Moreover the attacker can deface the website by putting the following code which will open a new browser window consisting the defacement page.

Script Code:

<script type="text/javascript">"", "_self");

  • Protection :
1. The script used in the guestbook page is not able to sanitize the inputs, most importantly the control characters like (< , >). That's why instead of displaying those inputs, it is executing them. In order to sanitize the inputs properly we can use the htmlentities() function converts characters to HTML entities as follows:


Now if the attacker put the previous JavaScript, it will be displayed without being executed by the browser like this:

2. Acunetix Web Vulnerability Scanner (WVS) Free Edition offers the functionality for anyone who wants to test their own application for Cross Site Scripting.

Happy Hacking...Enjoy...

For educational purpose only...Do not misuse it...


  1. Whats up are using Wordpress for your blog platform?

    I'm new to the blog world but I'm trying to get started and create my own.
    Do you need any html coding expertise to make your own blog?
    Any help would be greatly appreciated!

    my website ... fatest way to burn belly fat

  2. Voyante gratuit tirage de tarots en ligne

    Visit my site - voyance gratuite en ligne

  3. I think this is one of the most vigal info for
    me. And i am glad reading your article. But want to remark
    on few general things, Thhe website style is wonderful,
    the articles iss really nice : D. Good job, cheers

    My page :: Las Vegas Appliance Service


If you like this post, comment please...