Security Basics: XSS Explained

I’m sure you’ve heard of XSS (Cross-Site Scripting) if you’ve ever been within earshot of a security engineer. As part of the OWASP Top 10, it tends to pop up a lot in security discussions. Unfortunately, the standard explanation (“code injected into a webpage to make it do stuff”) doesn’t really help red or blue teams execute or protect against it.

A Better Explanation

Basically, XSS can occur when a user is allowed to provide input that will be used by the application in some way to alter a view in the interface, without properly sanitizing the user-supplied input. For instance, when you search for a product in an online store and see the search term appear at the top of the results, or in the page title. You provided the term that the application is now using, so what’s to stop you from providing something malicious?

This is the premise of XSS.

Learning By Example

We’re going to use a fake web application, UberImage, to illustrate how XSS can occur in the real world. UberImage is a place to upload, tag, and share images with other users. Users can ‘like’ images, and popular images (by likes and views) appear on the front page. I’m sure nothing bad can come from that.