What is Cross-Site Scripting?

In this blog, we will learn about cross-site scripting. Let’s start with what is cross-site scripting.

What is Cross-Site Scripting?

Cross-Site Scripting or XSS allows an attacker to destroy your existing project, or take advantage of it. XSS injection can be possible when there is a scope for the attacker to insert unauthorized JavaScript, VBScript, HTML, or other active content into a web page. It could provide the attacker any confidential data, which might cause loss of valuable information.

What are the Types of XSS Attacks

There are following types of XSS attacks:

Stored XSS : If we provide a platform to an end user, through which we can save information provided by them to the database. It gives the attacker an aperture to cause harm to our system and sneak some valuable information, making us vulnerable.

Reflected XSS : The malicious information sent through URL parameter, are reflected XSS.

DOM-based XSS : It refer to making changes in DOM at the client side. The server side web page does not change but executes in the way that is not intended.

Impact of XSS

There are following impacts of XSS:

1) Arbitrary Requests : The hacker can use XSS to send request to get information from the user end.
2) Malware Download : Sometimes we get some spam mail, through which malware could be downloaded.
3) Log keystrokes : The attacker could identify key-strokes to get username and password to log in future.

Example

Let us visualize the concept of XSS in Salesforce through an example. Create a new visualforce page and write the following code:

<apex:page >
    <!-- XSSDemo -->
    <!-- 
        /**
         * Webkul Software.
         *
         * @category  Webkul
         * @author    Webkul
         * @copyright Copyright (c) 2010-2016 Webkul Software Private Limited (https://webkul.com)
         * @license   https://store.webkul.com/license.html
         */
     -->
  <div id='container'></div>
    <script>
      document.querySelector('#container').innerHTML='You searched for <b>{!$CurrentPage.parameters.param}</b>';
    </script>
</apex:page>

As you can notice current page parameter “param” is reflected in the page. Let us pass a string parameter ex-‘account’ through the url as following:

/apex/XSSDemo?param=account

We will get desired output:

Now let us pass an incorrect parameter as following:

/apex/XSSDemo?param=<script>alert(%27Hi!%27)</script>

We will get the distorted output:

Example shared above is concerned with Reflected XSS.

Support

That’s all for cross-site scripting, still, if you have any issue feel free to add a ticket and let us know your views to make it better https://webkul.uvdesk.com/en/customer/create-ticket/

 

. . .

Ask a Feature

Index