Understanding Cross-Site Scripting: What Web Developers Need to Know
On Saturday, March 22nd, 2008, the Epilepsy Foundation’s epilepsy support message board was victim to a cross-site scripting attack [1]. Users were assaulted with flashing images, triggering seizures and migraines [2]. This breaks my heart.
Cross-site Scripting (XSS) remains on OSWAP’s top 10 list and is one of the most common vulnerabilities on the internet. Developers who do not understand XSS may be putting their users in harm’s way. Don’t be one of these developers.
Prerequisites
For this article to be worth your time, you should know a bit about HTML, JavaScript, the DOM, and HTTP. Even with an understanding of these technologies, you may encounter a few unfamiliar terms or concepts. Don’t be discouraged. Look these terms up if you have the time, but either way, this article’s main ideas will not be lost on you.
What is Cross-Site Scripting?
XSS attacks are injection attacks. Like other injection attacks, such as SQL and NOSQL injections, XSS attacks are fundamentally an issue of data being interpreted as code. In an SQL-injection, the attacker is injecting code into your database. In an XSS attack, the attacker is injecting code into your users’ browsers.
