Type 2 Cross-site Scripting: An Attack Demonstration

Obi Orjih, oco1@cec.wustl.edu


Cross-site scripting is a widespread breed of web vulnerabilities which allows hackers to inject malicious code from their untrusted websites into the webpages that are are being viewed by unknowing victims. This report provides a background on cross-site scripting in general, and then elaborates on the 3 known variants. We concentrate on the Type 2 vulnerability, where an attacker is allowed to store a malicious script on a trusted web server, thus endangering all future users of the web application. We demonstrate this attack using a contrived message board application in order to provide some perspective. Through an examination of the causes of the demonstrated vulnerability, we are able to understand better how this attack is used on the web, and also how to avoid such scenarios.

Keywords: Cross-site scripting, XSS, Type 2 XSS
See also:

Table of Contents

Back to Raj Jain's Home Page

View the complete report online

Shift-click to download the paper in Adobe Acrobat format