HTML fields XSS vulnerability

Question

So I've been trying to program a website with a user/password form from scratch.

<html>
      <head>
            <title>Password Generator</title>
      </head>
      <body>         
            <h1>Password Generator</h1>
            <h3> Let's start: </h3><h3>

            <form action="pwd.php" method="GET">
            <table style="width:100px">
                  <tbody>
                         <tr>
                              <td>
                                   <b>Name:</b>
                              </td>
                              <td> 
                                   <input name="name" value="Name" type="text"> 
                              </td>
                         </tr>
                         <tr>
                              <td>
                                   <b>Size:  </b>
                              </td>
                              <td>
                                   <input min="10" max="1000" name="strength" type="range">
                              </td>
                         </tr>
                  </tbody>
            </table>
            <table style="width:100%">
                   <tbody>
                           <tr>
                               <td></td>
                               <td>
                                   <input name"gen"="" value="Generate" type="submit">
                               </td>
                           </tr>
                    </tbody>
             </table>
        </form>
        <img src="pwd.php?name=strength">
        </h3>
     </body>
</html>

Now i tested my website for XSS vulnerability and found out that I can insert JS using the forms for example: <input name="name" value="Name" onclick="alert('XSS');" type="submit"> I just need to change the HTML a little bit using the Mozilla Inspector and I can execute JS remotely on my website.

I read I can use JS to prevent this but I don't understand how it works. I mean I can modify JS using the Inspector so how would that work?

hopefully someone can explain that to me!

kind regards
Raavgo

`change the HTML a little bit using the Mozilla Inspector and I can execute JS remotely on my website` - no, you are executing it on your computer. Please see [How does XSS work?](http://stackoverflow.com/q/239194/11683) — GSerg, Aug 11 '16 at 16:31
XSS vulnerabilities are caused by custom user data permitting executing arbitrary JS code on other clients accessing the site. There doesn't appear to be any code in your HTML that would permit this. I think you have misunderstood what XSS entails. — Patrick Bell, Aug 11 '16 at 16:32
How does adding markup in the inspector add XSS? That is not how XSS works. — epascarello, Aug 11 '16 at 16:33
@GSerg I just read the article and found this: In Simple English XSS is when you insert scripts (meaning JavaScript code) into webpages, so that the browser executes the code. This is malicious, because it can be used to steal cookies, and any other data on the page. For example: The HTML of a search box: Now if you insert " onmouseover="alert(1), the final HTML would be When the mouse is passed over the search box, the "alert" will be executed. I think this is the case or am I wrong? — Raavgo, Aug 11 '16 at 16:39
yes, but XSS is not executed by using the inspector, it is when there is a flaw in your page where I can inject code into the page and have it displayed. Basically the serverside page will take the input provided and spits it right back out onto the page. — epascarello, Aug 11 '16 at 16:41
But I can execute js code so I can steal the cookie for session hijacking, I can download the .php as plain text I can upload files to the server! How can that not be XSS? I read the OWASP XSS Cheasheet and there changing the form attribute is a kind of XSS attack — Raavgo, Aug 11 '16 at 17:53
How do you go from "I can steal the cookie" to "I can download the .php as plain text I can upload files to the server"? Even if you are able to "steal the cookie" (which you are not, you are reading a cookie *assigned to you*, whereas stealing would be reading *someone else's* cookie), how does that make you able to download and/or upload php files? And if you are able to download/upload php files, why are you bothering with cookies when you can own the server directly? — GSerg, Aug 11 '16 at 21:05

score 0 · Answer 1 · answered Sep 07 '16 at 14:30

You cannot be vulnerable to XSS if you have only a static HTML/CSS page. XSS appears when there is a preprocessor (like PHP) involved.

If your page stays as it is, you don't need to worry.

But if, for example, you are using PHP and you want to show the submitted values you would need to modify your page like this:

<input name="name" type="text" value="<?php echo $_GET['name']?>" />

This is vulnerable to XSS attacks! Do not ever use it in your code!

One of the solutions is to have:

<input name="name" type="text" value="<?php echo htmlspecialchars($_GET['name'], ENT_QUOTES, 'UTF-8')?>" />

from here.

Very important to mention that the use of double quotes (`"`) is critical here. `htmlspecialchars` will NOT escape single quotes (`'`) unless [you tell it to](https://www.php.net/manual/en/function.htmlspecialchars.php#:~:text=but%20only%20when%20ENT_QUOTES%20is%20set). — Ege F, Jun 28 '21 at 02:07

HTML fields XSS vulnerability

1 Answers1