Real World XSS

Author: David Zimmer <>
Article Downloads:

Section 1 - Introduction
          - Prerequisites 
          - About the Article Downloads
          - Impacts (Attack Scenario)
          - Impact Summary
Section 2 - Methods of Injection, and filtering
          - Injection Points
          - Injection methods and filtering
          - XSS scripting tips and tricks
Section 3 - Inside the mind, mental walk along of a XSS hack

Section 4 - Conclusion


By now I hope you all understand that Cross sight scripting is not as trivial a 'security' hole as it appears on the surface as all of the simple demos people post as examples.

Identifying Cross Sight Scripting is the easy part.

Foreseeing its possibilities and knowing how to use it to impact a user base is the hard part, and is the part that is not widely discussed.

With XSS so widely written about and so misunderstood alot of people have walked away with the false conclusion that it is an annoyance and not a threat.

The purpose of this paper is not to arm a hoard of script kiddies with a bunch of proven tricks, but is to try to instill a sense as its actual dangers and impacts with those who are in the position to do something about it.

As with all knowledge, it can be a double sided sword. As rfp's paper on Sql injection techniques brought out the dangers of Sql injection to the public I too hope that this paper may have a similar effect and raising awareness and helping people to limit their own (and their surfer populations) exposure.

You may not loose your server to XSS attacks, it may not DOS your network, but you may loose your users, and you may be the reason your clients lost their credit card numbers, fell victim to identity theft or had their accounts tampered with.

Like this paper? Want to read more?

Check out the site for more Web Application Security related papers and specialized Web App auditing tools.

Copyright David Zimmer 2002