In this section, we’ll explain what cross-site scripting is, describe the different varieties of cross-site scripting vulnerabilities, and spell out how to find and prevent cross-site scripting. What is cross-site scripting (XSS)? Cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with…

Read More

In this section, we’ll describe the AngularJS sandbox, explain how exploits can escape from the sandbox, and spell out how content security policy (CSP) can be bypassed in the context of the AngularJS sandbox. What is the AngularJS sandbox? The AngularJS sandbox is a mechanism that prevents access to potentially dangerous objects, such as window or document, in AngularJS template…

Read More

In this section, we’ll describe some general principles for preventing cross-site scripting vulnerabilities and ways of using various common technologies for protecting against XSS attacks. Cross-site scripting prevention can generally be achieved via two layers of defense: Encode data on output Validate input on arrival Encode data on output Encoding should be applied directly before user-controllable data is written…

Read More

In this section, we’ll explain dangling markup injection, how a typical exploit works, and how to prevent dangling markup attacks. What is a dangling markup injection? Dangling markup injection is a technique for capturing data cross-domain in situations where a full cross-site scripting attack isn’t possible. Suppose an application embeds attacker-controllable data into its responses…

Read More

In this section, we’ll explain what content security policy is, and describe how CSP can be used to mitigate against some common attacks. What is CSP (content security policy)? CSP is a browser security mechanism that aims to mitigate XSS and some other attacks. It works by restricting the resources (such as scripts and images) that a…

Read More

In this section, we’ll describe DOM-based cross-site scripting (DOM XSS), explain how to find DOM XSS vulnerabilities, and talk about how to exploit DOM XSS with different sources and sinks. What is DOM-based cross-site scripting? DOM-based XSS vulnerabilities usually arise when JavaScript takes data from an attacker-controllable source, such as the URL, and passes it to a sink…

Read More

When testing for reflected and stored XSS, a key task is to identify the XSS context: The location within the response where attacker-controllable data appears. Any input validation or other processing that is being performed on that data by the application. Based on these details, you can then select one or more candidate XSS payloads, and test whether they…

Read More

The traditional way to prove that you’ve found a cross-site scripting vulnerability is to create a popup using the alert()function. This isn’t because XSS has anything to do with popups; it’s simply a way to prove that you can execute arbitrary JavaScript on a given domain. You might notice some people using alert(document.domain). This is a way of making it explicit…

Read More

In this section, we’ll explain reflected cross-site scripting, describe the impact of reflected XSS attacks, and spell out how to find reflected XSS vulnerabilities. What is reflected in cross-site scripting? Reflected cross-site scripting (or XSS) arises when an application receives data in an HTTP request and includes that data within the immediate response in an…

Read More

In this section, we’ll explain stored cross-site scripting, describe the impact of stored XSS attacks, and spell out how to find stored XSS vulnerabilities. What is stored cross-site scripting? Stored cross-site scripting (also known as second-order or persistent XSS) arises when an application receives data from an untrusted source and includes that data within its…

Read More