XSS refers to client-side code injection where the attacker injects malicious scripts into a legitimate website or web application. This is often achieved when the application does not validate user input and freely injects dynamic HTML content.
For example, a comment system will be at risk if it does not validate or escape user input. If the comment contains unescaped HTML, the comment can inject a <script>
tag into the website that other users will execute against their knowledge.
- The malicious script has access to cookies which are often used to store session tokens. If an attacker can obtain a user’s session cookie, they can impersonate the user.
- The script can arbitrarily manipulate the DOM of the page the script is executing in, allowing the attacker to insert pieces of content that appear to be a real part of the website.
- The script can use AJAX to send HTTP requests with arbitrary content to arbitrary destinations.
- On the client, using
textContent
instead ofinnerHTML
prevents the browser from running the string through the HTML parser which would execute scripts in it. - On the server, escaping HTML tags will prevent the browser from parsing the user input as actual HTML and therefore won't execute the script.