Cross-Site Scripting (XSS) is one of the most common vulnerabilities and attacks against web applications. The goal of an XSS attack from an attacker point of view is to execute arbitrary script code in the context of another user.
XSS is an indirect attack so it requires the attacker to interact with another user of this application.
|Affected Technologies||Generic Web Application|
Variant 1: Reflected XSS
The most common XSS variant is reflected XSS. In this case, the script code is reflected by the application directly:
Variant 2: Stored XSS
Less common than reflected XSS but much more critical is stored (or persistent) XSS. Here, the code is not reflected directly (request → response) but stored in the database and thereby not need the user to interact with the user directly (e.g. via sending a crafted URL). Let's look at the following example:
Variant X: Self-Contained XSS
|Threat Type||Indirect Attack|
Insufficient output encoding/escaping of user-controlled variables before written into an (HTML) response.
|Worst Case Scenario(s)|
Test all parameters with the following identifiers (not just those from HTML forms but also application parameters):
If you find it reflected by the application unencoded in the HTML content, the application is most likely to be vulnerable.
You can also test a harmless exploit that opens an alert box but only works with very easy ones: