XSS - how the script injection happens-CodePudding

I have watched lots of articles about XSS attack,
but one thing that make me confused is that, how the script injection works actually?

For example, if attackers enter something like <script>alert('Attack!')</script>as the input, why it can stay in the browser permanantly and every user visiting the website can see the alert.

From my understanding, after attackers's input, a POST request will be sent with payload <script>alert('Attack!')</script>. Meanwhile the <header> tag or <script> should only be manipulated on Client Side Source Code/Web Server.

How can it work?

CodePudding user response：

The easiest way to understand the classic XSS mechanism: If there are no security mesurements, an Attacker inputs the script into a comment section's textbox under an article and then sends it in. This way the script gets stored in the server's database. Every time someone visits that page with the comment section the script will be loaded on the visitor's client side.

To remediate that sanitize input, escape output and use Content-Security-Policy.

CodePudding user response：

There are several types of XSS vulnerabilities. I'll assume you are talking about a persistent-XSS since that's one type related to your question.

In a persistent-XSS vulnerability, you can POST a request which is then stored in the server-side backend of the application (i.e. a database).

For example, a table in a database storing the comments sections of an article.

When other clients of the application then request that page, the server responds with the related article HTML page including the comments section, where the attacker's payload exists. Then, each client receiving that HTML page, will also receive a comment with a malicious <script>payload</script> script.

From here, the client's browser automatically renders the HTML and executes <script> tags as legitimate JS code received from the server.
Since this code was injected by an attacker, and runs in the clients' browsers, it can be harmful - stealing the client's cookies, session keys, etc. and sending them to a remote server.