What is Cross-Site Scripting (XSS)?

1. What is Cross Site Scripting?

Cross Site Scripting (Cross Site Scripting, XSS) is a Web application attack in the data output to the page when there is a problem, leading to an attacker can be constructed malicious data displayed in the page vulnerability. Because the cross-site scripting attacks are to the page content to write a malicious script or HTML code, so cross-site scripting vulnerability is also known as HTML injection vulnerability.

Unlike SQL injection attacks database server mode, cross-site scripting vulnerability is caused by the client to launch the attack, that is, the use of cross-site scripting vulnerabilities inject malicious code is running in the user’s browser on a computer.

2. Type of Cross Site Scripting

* Reflect XSS

Injected Code don’t stored on Web server, so only users visit the vulnerability page will be affected.

* Stored XSS

This type is the most widely used and may affect their own Web server security vulnerabilities, hackers will attack the script uploaded to the Web server, so that all users accessing the page are facing the possibility of information leakage, which also includes the Web server administrator.

* DOM-XSS

XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner.

XSS Attack Vector

XSS vulnerabilities found —> construct exploit code —> trick the user clicks —> get all the cookies and other information

XSS attack protection

•  code audit
• encode input/output
• use WAF