9

I've been reading about XSS and I made a simple form with a text and submit input, but when I execute <script>alert();</script> on it, nothing happens, the server gets that string and that's all.

What do I have to do for make it vulnerable?? (then I'll learn what I shouldn't do hehe)

Cheers.

Dolph
  • 49,714
  • 13
  • 63
  • 88
vtortola
  • 34,709
  • 29
  • 161
  • 263

5 Answers5

23

Have the server output the input back to the client.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • 2
    I read "Having the server output the input back to the client.", and thought wow, that's the most simplest, and dead-on answer to this question. – K. Norbert May 25 '10 at 15:09
23

Indeed just let the server output it so that the input string effectively get embedded in HTML source which get returned to the client.

PHP example:

<!doctype html>
<html lang="en">
    <head><title>XSS test</title></head>
    <body>
        <form><input type="text" name="xss"><input type="submit"></form>
        <p>Result: <?= $_GET['xss'] ?></p>
    </body>
</html>

JSP example:

<!doctype html>
<html lang="en">
    <head><title>XSS test</title></head>
    <body>
        <form><input type="text" name="xss"><input type="submit"></form>
        <p>Result: ${param.xss}</p>
    </body>
</html>

Alternatively you can redisplay the value in the input elements, that's also often seen:

<input type="text" name="xss" value="<?= $_GET['xss'] ?>">

resp.

<input type="text" name="xss" value="${param.xss}">

This way "weird" attack strings like "/><script>alert('xss')</script><br class=" will work because the server will render it after all as 

<input type="text" name="xss" value=""/><script>alert('xss')</script><br class="">

XSS-prevention solutions are among others htmlspecialchars() and fn:escapeXml() for PHP and JSP respectively. Those will replace among others <, > and " by &lt;, &gt; and &quot; so that enduser input doesn't end up to be literally embedded in HTML source but instead just got displayed as it was entered.

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
4

You should "inject" the script. So if you have a text-input, you should put in the form:

" /> <script>alert();</script>

This way you first close the attribute of the existing HTML and then inject your own code. The idea is to escape out the quotes.

Henri
  • 5,065
  • 23
  • 24
  • That's not what he's asking. He knows how to perform the attack, he's asking what makes an input vulnerable. – kingsfoil Apr 26 '17 at 16:24
1

Google made a really awesome tutorial that covers XSS and other security vulnerabilities here. It can help you understand how these issues are exploited in real applications.

Annie
  • 6,621
  • 22
  • 27
1

Three simple things:

  1. If you're not outputting untrusted data to the page at some point there is no opportunity for XSS
  2. All your untusted data (forms, querystrings, headers, etc) should be validated against a whitelist to ensure it's within an acceptable range
  3. All your output to the screen should be endcoded with an appropriate library (ie Anti-XSS for .NET) onto the appropriate language (HTML, CSS, JS, etc).

More info with examples in OWASP Top 10 for .NET developers part 2: Cross-Site Scripting (XSS).

Troy Hunt
  • 20,345
  • 13
  • 96
  • 151