XSS Web Application Vulnerability
XSS (short for Cross-Site Scripting) is a well-known vulnerability that affects many web applications. The risk behind XSS is that it allows an attacker to inject content into a website and modify how it is displayed, making a victim’s browser to execute the code provided by the attacker while loading the page.
Normally XSS vulnerabilities require some type of contact by the user to trigger the vulnerability, either via social engineering, or waiting for someone to visit an explicit page. That’s why it’s often not taken seriously by developers, but if left unpatched, can be very dangerous.
Let’s say you are on your WordPress wp-admin panel adding a new post. If you are using a plugin with a stored XSS vulnerability (explained below) that gets exploited, it can force your browser to create a new admin user while in the wp-admin panel, or it can edit a post and perform other similar actions.
An XSS vulnerability gives an attacker almost full control of the most important software we have on our desktops today: our browsers.
XSS: The Injection Vulnerability
Any website or application has several inputs. It ranges from form fields to the URL itself, which will become data to be handled by the underlying code. A simple example of this data is when we submit our name, username, password or any other input on a form:
The name will be stored in the website database for later use, for actions like personalizing our experience in the website. Think for instance when you log into your favourite website and it greets you with your name: “Welcome, Adam!”
Each of these data points are considered inputs, and they can be manipulated if the code behind them are not properly validating the inputs and sanitizing the outputs. When an input is specially crafted to contain a certain sequence of characters in order to make the server or even the own browser answer in a desired way, it’s called injection.
This particular type of injection type is identified as Cross-Site Scripting (XSS): a way to inject code that will perform actions in the browser on behalf of a website. This action can be abrasive and notify the user, or it can work in the background unbeknownst to the user.