Introduction

In order to fully understand cross-site scripting (XSS) attacks, there are several core theories and types of techniques the attackers use to get their code into your browser. This chapter provides a break down of the many types of XSS attacks and related code injection vectors, from the basic to the more complex. As this chapter illustrates, there is a lot more to XSS attacks than most people understand. Sure, injecting a script into a search field is a valid attack vector, but what if that value is passed through a filter? Is it possible to bypass the filter?

The fact of the matter is, XSS is a wide-open field that is constantly surprising the world with new and unique methods of exploitation and injection. However, there are some foundations that need to be fully understood by Web developers, security researchers, and those Information Technology (IT) professionals who are responsible for keeping the infrastructure together. This chapter covers the essential information that everyone in the field should know and understand so that XSS attacks can become a thing of the past.