4 4




                Unsanitized Data – An



                                                     XSS Case Study





            Cross-Site Scripting (XSS) is a vulnerability caused by exceptions built into the browser's
            same-origin policy restricting how assets (images, style sheets, and JavaScript) are loaded
            from external sources.

            Consistently appearing in the OWASP Top-10 survey of web-application vulnerabilities,
            XSS has the potential to be a very damaging, persistent exploit that affects large sections of
            the target site's user base. It can also be difficult to stamp out, especially in sites that have
            large attack surfaces, with many form inputs, logins, discussion threads, and so on, to
            secure.

            This chapter will cover the browser mechanisms that create the opportunity for XSS, the
            different varieties of XSS (persistent, reflected, DOM-based, and so on), how to test for it,
            and a full example of an XSS vulnerability d from discovering the bug to submitting a
            report about it.

            The following topics will be covered in this chapter:
                      Overview of XSS
                      Testing for XSS
                      An end-to-end example of XSS