Cross-site scripting (XSS) is a vulnerability found on web applications. XSS allows attackers to inject scripts into the website. These scripts can be used to manipulate the web server, or the clients connecting to the web server.

Cross-site scripting has accounted for a large majority of popular web-based attacks. Many times when my team is requested by customers to examine compromised web servers that have had data stolen, it has been a result of cross-site scripting. Cross-site scripting attacks have resulted in attackers defacing websites, distributing malware to clients, and stealing sensitive information from websites, such as credit card and other personal identifiable information.

One method to check for cross-site scripting vulnerabilities is checking if an input field, such as a search box, is vulnerable. An example that could be used to test an input field on a website is using the simple search string as follows:

CHAOS<script>alert('www.DrChaos.com')</script>

You could use the previous script to test any website however, we don't recommend inputting the string on every website you come across, as it could alert targets of your malicious intentions. If you chose to use a similar script for testing cross-site scripting, make sure to use another website other than www.DrChaos.com in the script.