How the mean JavaScript is inserted

The only method for the attacker to run his mean JavaScript in the victim's browser is to insert it into one of the pages that the victim downloads from the website. This can happen if the website nonstop includes user input in its pages, because the attacker can then insert a thread that will be treated as code by the victim's browser.

In the example below, a simple server-side script is used to display the latest comment on a website:

print "<html>"
print "Latest comment:"
print database.latestComment
print "</html>"

The script accepts that a comment consists only of text. However, since the user input is included directly, an attacker could give in to this comment: "<script>...</script>". Any user visiting the page would now accept the following reply:

<html>
Latest comment:
<script>...</script>
</html>

When the user's browser loads the page, it will perform whatever JavaScript code is controlled inside the <script> tags. The attacker has now do well with his attack.

Read more »

What is XSS

XSS means "Cross-site scripting" is a code injection attack that allows an attacker to perform hateful JavaScript in another user's browser. The attacker does not nonstop target his victim. Instead, he activities a helplessness in a website that the target visits, in order to get the website to deliver the hateful JavaScript for him. To the target's browser, the hateful JavaScript appears to be a genuine part of the website, and the website has thus acted as an chance partner to the attacker.

Read more »