- What is cross site scripting?
- How cross site scripting works?
- Types of cross site scripting
- How to prevent cross site scripting?
What is cross site scripting?
Cross Site Scripting (XSS) attack is executed on the client-side of a web application. The client-side of the web application is usually the software that is used to interact with the web application. In most cases, it is the browser. In XSS attack, the attacker injects malicious code onto the web browser to make the web application do something that is ideally not supposed to do.
Now how this harmful code is executed and what happens if this malicious script executes on the web application after its injection. The objective behind this black hat approach is to steal session tokens, cookies, and other important information like usernames, passwords. The attacker may change web application content like the company name or may show a popup with the message, "Website Hacked".
How XSS works
XSS is basically a website hacking technique so an attacker needs a website, a server, and a victim which is mostly a user. A website may have many vulnerabilities that can be exploited by hackers. For example, you give a comment on the website that is stored on the webserver. The same comment is being displayed from the webserver to the web page when any user loads this page. This is a vulnerability.
Now, how hackers exploit it. Hackers write a malicious script in the comment box and publish it. This code is stored on a web server. Now when any user visits this page, this code is executed and does its job. This code steel the information and send it to the given URL by the attacker.
This is the logic behind the XSS.Types of cross-site scripting
There are mainly 3 types of XSS.
Reflected XSS (Non-Persistent)
In this attacker includes phishing emails or some malicious links and attracts the victim to click, For example, the attacker gives a link to a fake Facebook login page looking exactly the same. The victim visits it and provides login credentials. The attacker also steals cookies or session tokens to hijack the session. It is not persistent as the attacker inserts code in the input field, submits, and gets data immediately. Here the malicious script is not stored on the webserver.
Stored XSS (Persistent)
In this case, malicious code is stored on a web server or database. Mostly this is javascript code. When the user opens the web page in the browser, this javascript code is executed in the browser. This attack is launched when input text boxes, comment section, search field, or signup/login form are not properly validated and escaped.
DOM Based XSS
In this, the hacker injects the malicious script in the DOM of the browser. This is purely a client-side attack. Malicious code is not stored on the webserver. Here the script is inserted in the URL as a parameter, not in the input fields.
Cross site scripting how to prevent (XSS Prevention)
You can prevent your website from XSS attack by following steps:-
Validate user input
- Escape special character
- Consider all user input as a threat
- Sanitize the data by using eliminating script tag or other tags or using reg expressing
- Encode DataUse URL encoding for input and output
- Use CSP (Content Security Policy) standards
Post a Comment