--- title: "What is XSS?" layout: post --- I found a cross-site scripting (XSS) attack in a well-known quiz hosting website. I disclosed the vulnerability to them years ago, so I thought now might be a good time to write about it. In this first article I will explain what XSS is. In the next article I will explain how I found this attack. ## What is cross-site scripting (XSS) Cross-site scripting, XSS for short, is a technique to execute arbitrary Javascript code on a user visiting a website by linking to Javascript code stored on another server. So for example: I have a file on my website called [hacked.js](/assets/js/hacked.js). If I was able to run this javascript file on anybody visiting a certain website *that is not mine*, this would be called cross-site scripting. Click the above `hacked.js` link to view the code I use to "hack" this website. It's safe, I promise ;) Now, how can we get this code to execute when a user visits this site? To explain, I will start with some of the underlying technologies. ### Escape Characters! No, this is not a Sherlock Holmes novel! If we suppose that a website is built with sequences like these (called "tags"): `
`, `` (for paragraph), `` and `` for bold,
then why can you *see* the left and right angle bracket characters?
Don't they mean something? Shouldn't they be telling the browser:
*"Hey! Make me bold!"?*
Why *doesn't* everything after me typing `` turn bold?
The answer is:
There are special characters in HTML to type a visible left (<)
and visible right angle bracket (>) in a website.
If I use the left and right brackets on my keyboard however,
things will indeed show up bold.
This is the code for the sentence I wrote above:
There are special characters in HTML to type a visible left (<)
and visible right angle bracket (>) in a website.
If I use the left and right brackets on my keyboard however,
things will indeed <b>show up bold</b>.
Notice how all visible left angle brackets use an `<` to show them?
These are called [escape characters](https://en.wikipedia.org/wiki/Escape_character).
They tell a system, in this case your web browser:
*"Hello! Please show me off! I don't want to be hidden."*
#### Sanitization
Most of the time XSS attacks are done using poorly sanitized HTML `` elements.
Sanitization is when a program (usually on the server side),
will remove characters like `<` and replace them with the aforementioned "escape characters".
Internally this would be something like `<`,
but they would show up to a user as `<`.
When inputs are not properly sanitized *and* the input is shown to the user in another part of the website,
then a malicous user can type in HTML that will run whenever anybody tries to look at what they typed.
For example: a name for a quiz website (input) and the leaderboard for said quiz (display).
HTML, by itself is not very dangerous.
The worst thing you could do is probably put a link on your name,
and then point it to a porn site.
Make your name bold, italic. Maybe make the background a funny color.
Although this may annoy your victim it is not dangerous security wise.
There is one tag however, that *is* scary...
## `