This document is purely for illustrative purposes only. I am not responsible for any losses arising to the websites mentioned below. Webmasters please be more alert...
What is it?
XSS stands for cross site scripting (CSS) Since CSS is already taken by Cascaded Style Sheets, it is named XSS X standing for a Cross. It is a kind of hacking which allows you to deface websites, loggin as another user etc.
Let us start by looking how websites work. Starting with the simple ones, for example take this blog. It consists of a series of pages, connected by many links. This is just a simple case, now let us take a look at websites that are interactive. We are particularly interested in websites that allows us to post something and it appears on the site. The most simple example is google.com, when you search for something, it appears on their site. Or take the example of digg.com, reddit.com etc where you can submit information that is displayed on their site.
Most probably it wouldn't have work, because either you tried it on some well known site or you have to enter a little more code. Take the following example:
The following page has an XSS hole
But if you put
It didn't work. To understand why it didn't work we gotta look at its source.
This is how the rendered source (source that is outputted with your code) looks. To find out whether your injection has worked, take the source and search for your injected script. In this case it was found here :
Our script did not work because it was encapsulated within a string. So to break it out , we add extra code so that the new url would become :
Now our script is properly executed and can be seen
The highlighted in red portion is the injected code. As you can see it works.
Another page with XSS hole is
and the injected url looks something like
This is the case of simple sites that are not well made. Well made sites like google, yahoo and hotmail take this issue into serious consideration and have filters. Finding an XSS hole there is tough.
However some weak filters can be bypassed using the technologies mentioned in XSS Cheat Sheet
Message to Webmasters (specially of PropMart.com)
This article was written for you. Please provide a filter from Request to Response so that XSS can be prevented. Strip all html tags wherever it is ok to do so. Anti-XSS libraries are avalilable for use. For php users the strip_tags() function is a great way to prevent XSS in most cases.
More XSS holes ...
» 99acres.com : search for <script>alert(document.cookie);</script>
»Got another XSS hole ? Lemme know ....