Skip to content

An Introduction to JavaScript Forms That Is Also an Introduction to How to Perform XSS Attacks

I sometimes take time to visit XSSed.com to see if any high profile websites are, or had been, vulnerable to XSS attacks. I also look to see how long it takes websites to remove vulnerabilities to XSS attacks. High profile websites such as Google and Facebook tend to have these vulnerabilities removed within short periods of time. Websites that are not as well-known tend to be left vulnerable to XSS attacks, as you can see if you view this archive of XSS vulnerabilities. One reason this is the case is that these websites would not be targeted by XSS attacks as often. There is less incentive for individuals to target relatively low profile sites. In fact, these sites that are less likely to be targeted can be vulnerable to some of the most simple XSS attacks.

After recently checking which sites were listed as having XSS vulnerabilities, I noticed a site listed there that is vulnerable to the most simple XSS attacks. The site, titled JavaScript-Coder.com, contains JavaScript tutorials, and includes the implementations of the JavaScript example code in it. And the implementation of one of these examples contains an XSS vulnerability. The example was designed to be very basic, and so it would be expected that no methods for preventing XSS attacks would be included in the implementation of it. It is an implementation of code for submitting data through a form, and it simply displays what was submitted through that form. Therefore, if any code is submitted through the form, that code would be added to the page that appears after the form data is submitted. This vulnerability posted to XSSed.com can give a basic idea of how XSS attacks work, as it demonstrates only code injection, with no filter evasion techniques.

As of the time that this post was published, nothing has been done to correct this vulnerability. This may not be because whoever wrote the PHP code that works with data submitted through the form was not informed of this. This was likely because it is not as important for there to be XSS prevention measures to be taken with this site as there would be with other sites. For example, theft of cookies or authentication credentials is not an issue with this site. In any case, this page provides an example of how to perform an XSS attack by simply making a page display any data submitted by a user.