Chapter 2

Cross-Site Scripting

This chapter deals with the most common vulnerability that we see in APEX applications. In our annual review of APEX applications (2011), we found that every single one has at least one instance of Cross-Site Scripting (XSS). In our experience, the PHP, .NET, and Java applications that our customers provide for security assessment also mostly suffer from Cross-Site Scripting issues, far in excess of any other class of vulnerability.

Modern browsers and web applications rely heavily on JavaScript to provide a rich user experience. In many cases, sites simply do not work without a JavaScript-capable browser, and the rise of Web 2.0 technologies means that JavaScript is now a critical part of web-based applications.

Cross-Site Scripting is an attack against web technologies where the JavaScript within a web application is specified not by the application developer, but instead by an external party (an attacker). By design, a website cannot read or access content from another site due to the browser’s same-origin policy; any JavaScript on www.attacker.com cannot read content or session information from www.target.com. However, if a Cross-Site Scripting vulnerability in the target allows some user-specified JavaScript to be executed within the context of that site, it becomes possible for the attacker to access and manipulate site content.

For example, if a target is vulnerable to Cross-Site Scripting it might be structured as follows (in pseudo-code): ...