Today I ran across a Cross Site Scripting (XSS) attack in the wild. Since the victimized site is run by a friend, I did a little digging to see how the attack was done so I could tell him about the issue and how to fix it. Here is a little background on XSS attacks and how to debug them and avoid them.1
If you are trying to debug an XSS attack, the first rule of thumb is not to use your main browser. Don’t use anything that has “your” data in it – things like login cookies, etc. Instead, use your secondary browser or your development profile for your main browser if you have one.
Your browser can show you the behavior that the attack is performing, which is useful. However, depending on the attack, getting the HTML source from your browser may not be so easy. Also, many browsers will “clean up” the HTML a bit as they render it, so the HTML you see from your View Source command isn’t always exactly what the web server sent down.
You’ll probably find a place in the HTML where a tag was closed before you expected it, and a
SCRIPT tag somewhere you didn’t expect it.
There are a number of ways to avoid XSS attacks. The main approaches are:
- Encode your HTML output so that angle backets become
<and quotes become
There’s a ton of info on preventing XSS attacks out there on the web. If you’re a web developer, make sure to do a little reading on this.