hinter-man/xss-attack

web application to show a simple xss attack

HTML

XSS attack demo app

Unsafe Twitter-like website to show XSS attacks

insipred by TweetDeck XSS Tweet

Example attack

"likes" the first entry on every page reload

<script>$('a')[0].click();</script>Attack

Mitigation

Client side validation

items.handlebars

Raw Input (XSS)
- <p class="m-0">{{{ this.Text }}}</p>
Escaped:
- <p class="m-0">{{ this.Text }}</p>

Server side

server.js

escape input tweet text
- let tweet = escape(req.body.tweet);