Cross site scripting attacks and same origin policy

Methos picture Methos · Aug 10, 2011 · Viewed 15.4k times · Source

I am familiar with the persistent and non-persistent XSS. I also know about Same origin policy that prevents/restricts requests originating from one websites page to go to another websites servers. This made me think that the same origin policy can stop at least the non-persistent type of XSS attacks (Because in the persistent type of attack the malicious code origin would be same as the private information that is stolen). Is my understanding correct? Can SOP be used to stop/reduce these attacks?

EDIT: Okay I was confusing between invoking methods between 2 scripts at the browser side and invoking methods such as HTTP POST on another website. Thank you for the answer jakber.

Now I have another question, wouldn't SOP be able to prevent Cross-site request forgery? The example given in the wikipedia talks about Bob accessing a malicious image tag created by Mallory on the chat forum. However, as per the SOP rule, the malicious script should not be able to access bank's cookie. Am I missing something here?

Answer

jakber picture jakber · Aug 10, 2011

Typically no.

A non-persistant or reflected XSS attack exploits input that is echoed back as page content without proper sanitization, without persisting it. The injected script will seem to come from the exploited domain in both cases.

For example if you do this in PHP: echo $_GET['param'] and send a link to the page to somebody containing ?param=<script>alert('got you!');</script> it is a non-persistant XSS attack, and same-origin policy has nothing to do with it.

Same-origin means that you cannot directly inject scripts or modify the DOM on other domains: that's why you need to find an XSS vulnerability to begin with.