
Ask HN: What's the current state of XSS attacks? - gorpomon
I am reading &quot;The Web Application Hacker&#x27;s Handbook&quot; and specifically the chapter on Cross Site Scripting attacks. The information seems slightly out of date, and most browsers seem to now protect against the attacks they&#x27;re describing. What are the current avenues of exploits used for XSS attacks in 2016? Are the new client side frameworks like React and Angular largely immune to XSS? Are more mature server side frameworks like Rails largely immune? Are there any up to date resources on XSS attacks?
======
Llevel
This post didn't gain much traction, but XSS attacks are still pretty popular
and Google awards up to $7500 for XSS attacks[1]. React and Angular may help
prevent XSS attacks, and while I don't know specifics, they likely do have
some ingrained tools to prevent it occurring. I wouldn't be surprised if a XSS
exploit could find a way around client-size sanitization though. In a perfect
world, all strings coming from your server would be pre-escaped.

Rails is 'immune' in the sense that it doesn't let you directly drop HTML onto
pages from strings without escaping it first, and if you would like to do so,
you have to explicitly mark the string as safe[2]. This isn't to say that XSS
is no longer an issue though, Rails and other frameworks help prevent these
occurrences in many cases in simple applications, but larger scale
applications have a lot more code and a lot more ways to punch holes in that
protection. In fact using Express with with Node.js doesn't sanitize your
strings by default (as far as my quick research has shown), which leaves a
potential attack vector.

While XSS is a very well known vector, XSS attacks are not uncommon in non-
boilerplate web applications. Fortunately sanitization is easy and bugs can
often be fixed quickly.

Browsers can prevent some methods of XSS, such as by preventing loading JS
from a remote untrusted source. If you find a way to drop JS directly onto a
page that the browser can't catch (such as the entire JS source being
delivered by the server), there's still vulnerability.

OWASP tends to be the place to go to learn about web security[3]. They have
lots of examples of potential exploits.

[1] [https://www.google.ca/about/appsecurity/reward-
program/](https://www.google.ca/about/appsecurity/reward-program/) [2]
[http://stackoverflow.com/a/3932440](http://stackoverflow.com/a/3932440) [3]
[https://www.owasp.org/index.php/Cross-
site_Scripting_(XSS)](https://www.owasp.org/index.php/Cross-
site_Scripting_\(XSS\))

------
alltakendamned
You might want to check out [http://www.html5sec.org](http://www.html5sec.org)
for an overview of more up to date vectors.

