Cross-site scripting (XSS)

Software is written in a manner such that there is no possibility of a cross-site scripting attack? Yes / No

A cross-site scripting attack is a way to perform actions on behalf of the user when the user views or clicks a compromised payload.

The usual cross-site scripting attack involves posting comments or files where the payload is not well-escaped HTML. The attack may target site visitors or site administrators.

XSS can be avoided by using a proper software development framework which always escapes variables in template output and does not rely on developers to manually escape variables in page templates, JavaScript or HTML JSON embeds.

Special attention should be paid to file uploads: both the file content and the file name provide an attack channel. It is recommended that user-uploaded content always be served from a separate top level domain (TLD).

Applies for: Everyone

Related incidences:

• Facebook

Links:

• Cross site scripting (Wikipedia)
• Cross site scripting (OWASP)
• Handling untrusted JSON safely (WhiteHat Security)
• Unrestricted File Upload (OWASP)
• Secure user uploads and exploiting served user content (Mikko Ohtamaa)
• User-uploaded content (Django security)
• Sending form data (Mozilla Developer Network)