This is often possible through user input fields, in which the entries are not checked accordingly.
It is important to understand that JavaScipt is executed in the visitor's browser and not on the web server.
In the following I would like to describe the three basic types
with the XSS game from Google. Thus it is possible to playfully deal with Cross-Site-Scripting to learn how it works.
The goal is to execute a Proof of concept code that makes a pop-up appear using
alert(). In the case of a "real" attack, the corresponding malicious code would be executed here, which reads out cockies, etc.
Here we can see an input field, which represents a search function.
If something is entered in this field, the corresponding text will appear after submission.
The easiest way to use XSS is to enter the code directly:
This is a so-called reflective attack. Reflective because the user input (in this case the searched text) is output again.
Here a forum is simulated. Text input is saved and made available to other users.
The direct input of the script as above is not possible here. By including an image that cannot be loaded, our code is executed in the
This is called a persistent attack. Persistent, because the code (in this case via a comment function) is stored on the web server. Every time a user loads the page, the code is executed in the browser.
Here we have no input field in which we can write. By clicking on one of the tabs the corresponding picture changes.
A look at the source code gives us insight into how it works
The image is loaded depending on the tab you clicked. The file names are composed according to cloud1.jpg, cloud2.jpg, cloud3.jpg.
By inserting a simple
' we "break" out of the JS code, and then execute the corresponding code as before via the HTML event
https://xss-game.appspot.com/level3/frame#3' onerror='alert("Level 3.")';
This type of attack is called local or DOM-based cross-site scripting. This manipulates the Document Object Mmodel.
How do I protect myself as a visitor to a website?
How do I protect my web application?
By using appropriate tools such as DOM Snitch tests can be performed during development.
I hope to have given you a rough overview. If you have any further questions, I will be happy to answer them in the comments. Otherwise you can try your hand at the next levels;)
Thanks for reading!