In this blog, we will learn about cross-site scripting. Let’s start with what is cross-site scripting.
What is Cross-Site Scripting?
Cross-Site Scripting or XSS allows an attacker to destroy your existing project, or take advantage of it. XSS injection can be possible when there is a scope for the attacker to insert unauthorized JavaScript, VBScript, HTML, or other active content into a web page. It could provide the attacker any confidential data, which might cause loss of valuable information.
What are the Types of XSS Attacks
There are following types of XSS attacks:
Stored XSS : If we provide a platform to an end user, through which we can save information provided by them to the database. It gives the attacker an aperture to cause harm to our system and sneak some valuable information, making us vulnerable.
Reflected XSS : The malicious information sent through URL parameter, are reflected XSS.
DOM-based XSS : It refer to making changes in DOM at the client side. The server side web page does not change but executes in the way that is not intended.
Impact of XSS
There are following impacts of XSS:
1) Arbitrary Requests : The hacker can use XSS to send request to get information from the user end.
2) Malware Download : Sometimes we get some spam mail, through which malware could be downloaded.
3) Log keystrokes : The attacker could identify key-strokes to get username and password to log in future.
Example
Let us visualize the concept of XSS in Salesforce through an example. Create a new visualforce page and write the following code:
<apex:page >
<!-- XSSDemo -->
<!--
/**
* Webkul Software.
*
* @category Webkul
* @author Webkul
* @copyright Copyright (c) 2010-2016 Webkul Software Private Limited (https://webkul.com)
* @license https://store.webkul.com/license.html
*/
-->
<div id='container'></div>
<script>
document.querySelector('#container').innerHTML='You searched for <b>{!$CurrentPage.parameters.param}</b>';
</script>
</apex:page>
As you can notice current page parameter “param” is reflected in the page. Let us pass a string parameter ex-‘account’ through the url as following:
/apex/XSSDemo?param=account
We will get desired output:
Now let us pass an incorrect parameter as following:
/apex/XSSDemo?param=<script>alert(%27Hi!%27)</script>
We will get the distorted output:
Example shared above is concerned with Reflected XSS.
Support
That’s all for cross-site scripting, still, if you have any issue feel free to add a ticket and let us know your views to make it better https://webkul.uvdesk.com/en/customer/create-ticket/