Cross Site Scripting (XSS) is listed by OWASP Top 10 as #3 on the list. If you tried to decipher Cross-site Scripting and understand its mitigation, you will soon discover that understanding the different HTML contexts is key to understanding proper mitigations against Cross-site Scripting. One of the toughest contexts is the JavaScript context since injected code is much closer to an execution context than any other context.

With the rise of JavaScript stacks, this problem is only growing, and more possibilities for successful execution of malicious code is increasing.

To talk about XSS in JavaScript (JS) we first need to understand that JavaScript by itself has design problems that lead to XSS but the vast majority of issues arise from entry points that are not part of the language spec, but APIs into the browser that JavaScript can interact with. To get things started, let us refresh ourselves on what types of XSS appear in web applications.

Wikipedia defines XSS as:

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side script into web pages viewed by other users.

There are three main types of XSS:

  • Stored XSS or Persistent XSS
  • Reflected XSS
  • DOM Based XSS

Stored XSS

Stored XSS happens when user input is stored on the target server, and the victim is able to retrieve the stored data in an unsafe way. This can affect any user that has access to the stored data.

Reflected XSS

Reflected XSS happens when user input is returned immediately to the user and the input is not validated or made safe to render by the browser.

DOM Based XSS

DOM based XSS happens when XSS becomes possible based on DOM-based manipulation. Think of it as a dormant payload, which becomes active only when the DOM manipulates it in certain ways.

Common XSS Attacks

Cross-site scripting is one of the most common attacks in today’s web applications. Cross-site scripting could be used in several attacks. For example

  • Cookie theft and/or account hijackingThis happens when a malicious user is able to exploit an XSS flaw that allows them to gain session information about a user and use it to impersonate the user. For more information read Stealing Cookie With XSS.
  • KeyloggingThis happens when a malicious user is able to exploit an XSS flaw that allows them to receive key press events on the targeted web page from other users. Read Getting Sassy With XSS Part I – Keystroke Logging for more information.
  • PhishingThis happens when a page is vulnerable to XSS and a malicious user creates a URL to the page that they send to an unsuspecting user that contains a payload. When the user navigates to the page, the attacker is able to gain the users session information using the XSS payload. More can be read here Phishing and Cross-Site Scripting
  • Access browser history and clipboard contents
  • Control of the browser

Now focusing on JavaScript in particular, let’s look at attack vectors