XSS (aka by its much uncooler name Cross-Site Scripting) is a web security vulnerability which allows an attacker to inject and add malicious code, which in turn can lead to compromisation of a user’s account, session or cookies. This injected code, afffects and runs on the users on the website and has no real effect on the web server whatsoever. It affects the client and not the server.
|Taken from Portswigger’s Web Security Labs|
Arises when application recieves data in an HTTP request and includes the data within the response in an unsafe way. Eg.
https://insecure-website.com/status?message=All+is+well. <p>Status: All is well.</p>
No processing of data is done, hence one can craft a URL like;
https://insecure-website.com/status?message=<script>/*+Bad+stuff+here...+*/</script> <p>Status: <script>/* Bad stuff here... */</script></p>
The <script> tag gets executed once the victim loads this specific URL
Arises when an application recieves data from an untrusted source and includes that data in its later HTTP responsed insecurely. Eg, in a blog post comment section. Say a message board application allows you to post messages.
<p><script>/* Bad stuff here... */</script></p>
This script gets stored on the website as a message and runs on anyone who loads this page containing this message.
Arises when an application contains some client-side JS processing data in an unsafe way (writing it back to the DOM). If the attacker controls the calue of the input field, they can craft malicious JS that causes their own script to execute.
Considering the vast number of XSS resources, it might be difficult to track and choose what places to learn and practice XSS from.
Here are few resources I used to practice and learn and refer XSS.
This is a blog in progress, and as I continue on to my security journey, I plan to add more stuff, references to it. Meantime, check out my personal notes here.