Security Testing 101 - Cross Site Scripting

Security Testing 101 - Cross Site Scripting


Cross Site Scripting is Number 3 in the OWASP Top 10, making it one of the more serious security vulnerabilities. It’s easy to exploit, very common, and can do a lot of damage to systems and businesses. It’s important to protect against it.

There are a lot of ways testers can help to mitigate XSS flaws. Exploring user inputs and forms for poor validation and encoding is a good place to start. If a user input is reflecting any input back to you, it is possible that the input isn’t being encoded. By simply submitting a JavaScript alert, e,g alert(‘hello world’); you can prove that it is vulnerable to attack.

Some user interfaces will filter out some types of XSS attacks, but not others, so it is worth trying different inputs, so to evade filters.

Resources and further learning: