What makes an input vulnerable to XSS?

Have the server output the input back to the client.


Indeed just let the server output it so that the input string effectively get embedded in HTML source which get returned to the client.

PHP example:

<!doctype html>
<html lang="en">
    <head><title>XSS test</title></head>
    <body>
        <form><input type="text" name="xss"><input type="submit"></form>
        <p>Result: <?= $_GET['xss'] ?></p>
    </body>
</html>

JSP example:

<!doctype html>
<html lang="en">
    <head><title>XSS test</title></head>
    <body>
        <form><input type="text" name="xss"><input type="submit"></form>
        <p>Result: ${param.xss}</p>
    </body>
</html>

Alternatively you can redisplay the value in the input elements, that's also often seen:

<input type="text" name="xss" value="<?= $_GET['xss'] ?>">

resp.

<input type="text" name="xss" value="${param.xss}">

This way "weird" attack strings like "/><script>alert('xss')</script><br class=" will work because the server will render it after all as

<input type="text" name="xss" value=""/><script>alert('xss')</script><br class="">

XSS-prevention solutions are among others htmlspecialchars() and fn:escapeXml() for PHP and JSP respectively. Those will replace among others <, > and " by &lt;, &gt; and &quot; so that enduser input doesn't end up to be literally embedded in HTML source but instead just got displayed as it was entered.


You should "inject" the script. So if you have a text-input, you should put in the form:

" /> <script>alert();</script>

This way you first close the attribute of the existing HTML and then inject your own code. The idea is to escape out the quotes.