chapter two

2 Cross-site scripting (XSS)

This chapter covers:

Understanding how Cross-site scripting (XSS) works;
Learning about different types of XSS;
Preventing XSS by escaping output;
Using Content Security Policy (CSP) against XSS;
Judging other browser features against XSS;

In 2014, the BBC reported^[1] that clicking on certain links on eBay would redirect users to a phishing site: it looked similar to eBay, but of course wasn’t legitimate. The security researcher who found the vulnerability supposedly contacted the firm to no avail. An official inquiry by the BBC then sped up things, and the issue was resolved.

About ten years earlier, a security researcher managed to pull a similar stunt, redirecting eBay users to phishing sites where they were prompted for their credentials—and this happened live on German television! The firm obtained an injunction against one researcher who announced he would the demonstrate the exploit. However, the TV show had already contracted a second researcher who was not covered by the injunction.

2.1 Anatomy of a Cross-Site Scripting Attack

2.2 Preventing Cross-Site Scripting

2.2.1 Understanding the Same-Origin-Policy

2.2.2 Escaping HTML

2 Cross-site scripting (XSS)

This chapter covers:

2.1 Anatomy of a Cross-Site Scripting Attack

2.2 Preventing Cross-Site Scripting

2.2.1 Understanding the Same-Origin-Policy

2.2.2 Escaping HTML

2.2.3 Escaping in a Different Context

2.3 Content Security Policy

2.3.1 Sample Application

2.3.2 How Content Security Policy Works

2.3.3 Refactoring Applications for Content Security Policy

2.3.4 Content Security Policy Best Practices

2.3.5 Content Security Policy 3 Features

2.4 More Browser Safeguards

2.5 Summary