tait.tech/_posts/2020-04-25-xss.md

---
title: "What is XSS?"
layout: post
---

I found a cross-site scripting (XSS) attack
in a well-known quiz hosting website.
I disclosed the vulnerability to them years ago, so I thought
now might be a good time to write about it.

In this first article I will explain what XSS is.

In the next article I will explain how I found this attack. 

## What is cross-site scripting (XSS)

Cross-site scripting, XSS for short,
is a technique to execute arbitrary Javascript code on a user visiting a website
by linking to Javascript code stored on another server.

So for example:

I have a file on my website called [hacked.js](/assets/js/hacked.js).
If I was able to run this javascript file on anybody visiting a certain website *that is not mine*, this would be called cross-site scripting.

Click the above `hacked.js` link to view the code I use to "hack" this website.
It's safe, I promise ;)

Now, how can we get this code to execute when a user visits this site?
To explain, I will start with some of the underlying technologies.

### Escape Characters!

No, this is not a Sherlock Holmes novel!

If we suppose that a website is built with sequences like these (called "tags"):
`<body>`, `<p>` (for paragraph), `<link>` and `<b>` for bold,
then why can you *see* the left and right angle bracket characters?
Don't they mean something? Shouldn't they be telling the browser:
*"Hey! Make me bold!"?*
Why *doesn't* everything after me typing `<b>` turn bold?

The answer is:

There are special characters in HTML to type a visible left (&lt;)
and visible right angle bracket (&gt;) in a website.
If I use the left and right brackets on my keyboard however,
things will indeed <b>show up bold</b>.

This is the code for the sentence I wrote above:
<pre class="terminal">
There are special characters in HTML to type a visible left (&amp;lt;)
and visible right angle bracket (&amp;gt;) in a website.
If I use the left and right brackets on my keyboard however,
things will indeed &lt;b&gt;show up bold&lt;/b&gt;.
</pre>

Notice how all visible left angle brackets use an `&lt;` to show them?

These are called [escape characters](https://en.wikipedia.org/wiki/Escape_character).
They tell a system, in this case your web browser:
*"Hello! Please show me off! I don't want to be hidden."*

#### Sanitization

Most of the time XSS attacks are done using poorly sanitized HTML `<input>` elements.

Sanitization is when a program (usually on the server side),
will remove characters like `<` and replace them with the aforementioned "escape characters".
Internally this would be something like `&lt;`,
but they would show up to a user as `<`.

When inputs are not properly sanitized *and* the input is shown to the user in another part of the website,
then a malicous user can type in HTML that will run whenever anybody tries to look at what they typed.
For example: a name for a quiz website (input) and the leaderboard for said quiz (display).

HTML, by itself is not very dangerous.
The worst thing you could do is probably put a link on your name,
and then point it to a porn site.
Make your name bold, italic. Maybe make the background a funny color.
Although this may annoy your victim it is not dangerous security wise.

There is one tag however, that *is* scary...

## `<script>`

The `<script>` tag allows you to write code that can:

1. Change the page contents.
2. Redirect the user to a new page automatically.
3. Get a user's location.
4. Open a user's microphone/webcam.
5. With the `src` [attribute](https://www.w3schools.com/htmL/html_attributes.asp) you can also load a script from another site. (This is XSS)

Those last two will ask for permission from the user (if their browser isn't insanely insecure).

In my next article I'll talk about a website I found which is vulnerable to this attack.
And, show you how you can run your own XSS attack.