Cross-site Scripting (which is called XSS) is a type of security vulnerability typically found in web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users.
What attackers do is sending script-injected link to victims when victims open the link, the browser opens the site and also executes the XSS script which steal the user's data from session storage or cookies like
Then, sending the user's data to the attacker with an Http request.
Here's an image which simplify the process:
Well, it's the simplest kind of XSS Attacks; XSS Script is sent to the database and called each time a page is loaded.
A comments section in a blog the attacker puts the XSS script and submit it as a comment so it appears each time the page is loaded to do its job.
This kind is somehow tricky as this is the most one I like.
It happens mostly in the URL using
For avoiding this type of XSS use innerTEXT instead of innerHTML, You may need to use innerHTML when you want to add dynamic HTML in your page so you can filter inputs from the Backend.
http://www.example.com/userdashboard.html?context=Mary is a dashboard customized for Mary. It contains the string Main Dashboard for Mary at the top.
Here is how a DOM-based XSS attack can be performed for this web application:
The attacker embeds a malicious script in the URL: http://www.example.com/userdashboard.html#context=SomeFunction(somevariable).
The victim’s browser receives this URL, sends an HTTP request to http://www.example.com, and receives the static HTML page.
The browser starts building the DOM of the page and populates the document.URL property with the URL from step The browser parses the HTML page, reaches the script, and runs it, extracting the malicious content from the document.URL property.
The browser updates the raw HTML body of the page to contain: Main Dashboard for
<script> SomeFunction(somevariable) </script>
The most common way for cross-site scripting.
Reflected XSS is not a persistent attack, so the attacker needs to deliver the link to each victim. These attacks are often made using social networks.
In this case, the attacker’s payload has to be a part of the request that is sent to the web server. It is then reflected back in such a way that the HTTP response includes the payload(script) from the HTTP request. Attackers use malicious links, phishing emails, and other social engineering techniques to lure the victim into making a request to the server. The reflected XSS payload is then executed in the user’s browser.
Easiest way is to validate inputs and use an XSS Scanner.
An Automated web security scanner checks your site for vulnerabilities. ... A website that's vulnerable to Cross-site scripting (XSS) will allow an attacker to inject browser-side scripts into web pages viewed by users.