Curriculum
Course: Cyber Security
Login

Curriculum

Cyber Security

Text lesson

XSS example

The underlying code can be illustrated with a simple pseudo-code example:

$nickname = etNickName();
echo “Greeting $nickname, nice to meet you!”;

Another type of XSS is Stored XSS, where the attacker can save malicious content on a webpage. This content is executed in the browsers of all users who visit the site, without needing them to click a link.

The graphic shows how Eve stores harmful JavaScript to be executed whenever someone accesses the resource.

XSS1

XSS attacks can achieve various malicious goals, such as:

  • Stealing authentication cookies
  • Defacing the website with unintended content
  • Phishing users by presenting fake login forms

To defend against XSS, consider these best practices:

  • Configure the web server to return strict CSP (“Content Security Policy”) headers that control where and how JavaScript can be executed.
  • Properly encode the output returned to users, transforming HTML characters into safe encoded characters.