- Cross Site Scripting, better know as XSS, a subset of HTML injection.
- XSS is most prevalent and pernicious security issue.
- XSS flaws occur whenever on web application takes data that originated from user and sends it to browser without validating.
- XSS allows attackers to execute script in the victim's browser, which can hijack user sessions, deface website, insert hostile content, conduct phishing attacks, and take over the user's browser using scripting malware.
- There are three types in XSS.
Three types of XSS
- DOM Injection.
- Reflected XSS is easiest to exploit.
- A page will be reflect user supplied data directly back to the user.
- Stored XSS takes hostile data and store it in a file, a database, or other backend system and then at a later stage displays the data to user , unfiltered.
- This is extremely dangerous in systems such as CMS, blogs, or forums where a large numbers users will sees input from other individuals.
- XSS attack can be blend or hybrid of all three types.
- Non standard or un expected browser behaviors can introduce subtle attack vectors.
- XSS also potentially reachable through any components that the browser uses.