What Is It?
Imagine you have the ability to alter the behaviour of a web page to your liking to a small (or large) subset of users. No browser plugin installation necessary, the page and it’s behaviour is yours to mess with as you see fit. You control what the user sees, the information they can send (and who it goes to), potentially including session information.
How does it work?
Generally speaking, it relies on a few fundamental things:
1) That the application repeats user-inputted data. Doesn’t have to be immediate, and doesn’t have to be the same user doing the inputting as the one to fall victim.
There are three main types of XSS.
This is where you put the XSS code into a HTML request and have it immediately execute on the responding page. For GET-based XSS flaws, a direct link can be provided to the victim but for POST-based flaws, you’d have to trick them into inputting the XSS code themselves. You can do this by claiming the code is a secret coupon for infinite nachos or something.
This is where you send your XSS code to an application in a form where it can be stored and brought up later – think something like a Facebook comment. Once the page with the XSS code, the code will execute immediately.
Testing for XSS
The simplest test one can do for XSS is to enter the following code into an input field or POST/GET request variable:
This instead loads the document cookies (or at least the ones without the flag ‘HttpOnly’) into the message box. If those don’t work, you can try the following:
Among a long list of other potential XSS bypass strings.