The Non-Technical Explanation of Cross-Site Scripting (XSS)
Woah, don't jump to conclusions there! Yes. User input introduced challenges unforeseen in old-school static pages. Web developers were now forced to give up some control and accept data from untrusted sources. Hackers discovered how to take advantage of user input as a foot halfway into the door, only the door was left open intentionally for valid reasons.
Computers speak binary code, A.K.A ones, and zeros. However, coding applications in millions of ones and zeros is unrealistic. Fortunately for software developers, humans made this process much simpler by building language-like commands that are then transformed into those ones and zeros. This transformation is made possible by a piece of software called the compiler. The compiler turns programming keywords such as "new," "continue," or "this" into their respective bits of ones and zeros. These keywords, and many symbols, are given unique meanings by the compiler. Consequently, by the end-user entering keywords or symbols relevant to the compiler, programs can easily misinterpret seemingly valid input for extra commands.
Cross-Site Scripting (XSS for short) is a fancy word for injecting rogue web code into websites. Often times this rogue code is introduced through improperly sanitized input fields. When a programmer accepts input, they are supposed to ensure that none of these keywords or symbols make it past to be executed by the program. This process is known as input sanitization. So XSS only introduces security flaws for the website itself, right? Wrong.
XSS runs as a client-side script, a term in web development for scripts run by the client browser and not the server. XSS will typically only affect the end-user and can go largely undetected by the server. A successful XSS attack can implement keylogging technology, download malware onto a device, and even steal authentication data.
Want to learn more about XSS attacks and how they are exploited in modern web applications? Read more and learn how to create a Stored XSS attack with real-world examples here!