XSS — Cross-Site Scripting

A brief about Cross-Site Scripting (XSS), what it is, how it is caused, types, and a few ways of preventing it.

Image by Tumisu</a> from Pixabay

Introduction

Cross-Site Scripting (XSS) is a web security vulnerability, where an attacker injects inserts malicious scripts into legitimate websites. It is a client-side code injection and can exist wherever there is a user input to the website.

What?

A successful XSS can be carried out when there are flaws in the written code. When the attacker injects malicious scripts into websites, and when the end-user opens the injected website, the browser loads the website with the malicious code because it thinks the script came from a trusted source.

This allows the attacker to gain control over the user's interactions with that website. Cookies can be stolen and can be used to impersonate the user.

How?

It is done by manipulating the code of the vulnerable website. This can be done if the website uses unsanitized user input. XSS attacks are most commonly seen in JavaScript, as it is fundamental to the majority of the browsers, but XSS is possible in VBScript, ActiveX, Flash, and even CSS.

Types

There are mainly 3 types of XSS:

  • Stored XSS: This mainly occurs when the malicious code is stored in the server, or the database like a comments section, etc. When the user opens that particular website, the code gets executed compromising the user’s control.
  • Reflected XSS: It is the simplest form of XSS. It occurs when the attacker constructs a script that is sent with the URL or the HTTP request. Generally attackers direct users to a different website, through which the malicious is executed
  • DOM-based XSS: Document Object Model (DOM), this takes place completely on the client or user end, these are directly injected into the source, like .window() or .innerHTML() .

Prevention

  • If possible, restrict users from entering HTML as input.
  • Improve cookies security.
  • Sanitizing data, removing unsafe characters before storing it on the servers.
  • Use a security encoding library.

--

--

--

Hritesh J is a student pursuing undergraduate studies in CS. Loves cybersecurity and playing ctfs and writing about them. “learning one new thing every day.”

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} T1 Race Masters Hack Free Resources Generator

ARPA Monthly Report | October Progress Review

Diffie-Hellman Key Exchange

Part I: US-China Cyber Insurance Fund

The current state of identity & access management industry

{UPDATE} Mad Skills BMX 2 Esports Hack Free Resources Generator

{UPDATE} Whack A Note (Music Reading Game) Hack Free Resources Generator

What are nodes and why you will have your own ones on Secretum?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Hritesh J

Hritesh J

Hritesh J is a student pursuing undergraduate studies in CS. Loves cybersecurity and playing ctfs and writing about them. “learning one new thing every day.”

More from Medium

XSS and XSRF Demystified

Kioptrix: Level 1 [Vulnhub] Walkthrough

Yamagata XSS journey

Stage 1

Cybersploit 1 Walkthrough — Vulnhub