Lecture 21: Cross-Site Scripting (XSS)

• Slides
• Playlist (length: 48:59)
• Source code for the Squigler demo

Intro to XSS, Review

Stored XSS

If the user input is stored on the server and displayed as HTML, how can an attacker inject Javascript?

<script> tags in HTML allow Javascript to be embedded in HTML page.

XSS Demo

Real-world XSS Attacks

Reflected XSS

(True/False) Reflected XSS requires the victim to visit a malicious link crafted by the attacker, but Stored XSS does not.

True. In Reflected XSS, the malicious script is passed through the URL, so the attacker needs the victim to visit a link that contains the malicious script. However, in Stored XSS, the malicious script is stored on the server, so the victim could load the malicious script by visiting a legitimate website.

XSS Defenses

Consider an escaper that finds all instances of <script> and </script> in user input and removes them. Can an attacker still perform an XSS attack with <script> tags? If yes, write a malicious input that would bypass this escaping function. If no, explain why.

Yes. Consider this input: <scr<script>ipt>alert(1);</scr<script>ipt>. The escaper will find two instances of <script> and remove them, but after they’re removed, the input is now <script>alert(1);</script>!

Important takeaway: Building an escaper is hard, and attackers have many creative ways of bypassing escape functions.