Cross-site scripting (XSS)
Cross-site scripting (XSS), considered the most prevalent web application security flaw today, enables an attacker to execute his malicious scripts (usually JavaScript) on web pages viewed by users. Typically, the server is tricked into serving their malicious content along with the trusted content.
How does a malicious piece of code reach the server? The common means of entering external data into a website are as follows:
- Form fields
- URLs
- Redirects
- External scripts such as Ads or Analytics
None of these can be entirely avoided. The real problem is when outside data gets used without being validated or sanitized (as shown in the following screenshot). Never trust outside data:
For example, let's take a look at a piece of vulnerable code, and how an XSS attack can be performed on it. It is strongly advised not to use this code in any form:
class XSSDemoView(View): def get(self, request): # WARNING: This code is insecure and prone to XSS attacks ...