Cross-site scripting, also known as XSS, is a type of security vulnerability typically found in Web applications. It occurs when a web application gathers malicious data from a user. The data is usually gathered in the form of a hyperlink which contains malicious content. Browsers are capable of displaying HTML content and executing JavaScript. If the application does not escape special characters in the input/output and sends the user input back to the browser, an attacker may be able to launch an XSS attack successfully. Through which malicious files can be executed, session details of a logged in user can be stolen, or Trojans can be installed.

Types of XSS: The non-persistent (or reflected) cross-site scripting vulnerability is the most common type. A non-persistent XSS vulnerability occurs when the data provided by the attacker is immediately executed and a generated page is returned to that user. The persistent (or stored) XSS vulnerability occurs when the data provided by the attacker is saved in the server, and permanently displayed on web pages returned to other users. Another type of XSS attack is DOM Based XSS. DOM Based XSS (type-0 XSS) is an attack wherein the attack payload is executed as a result of modifying the DOM environment in the victim’s browser.

How to Perform XSS Testing:

How to prevent

XSS attacks are possible mainly because the server is not handling special characters in the output.

There are 2 broad strategies for defeating XSS:

Whitelisting Good inputs

Whitelist: Create a whitelist of characters required by the application. Once the whitelist is ready, the application should disallow all requests containing any character apart from those in the list.

Blacklisting Bad input

Blacklist: Application should not accept any script, special character or HTML in fields whenever not required. It should escape special characters that may prove to harmful. Some of the special characters used in script that must be escaped are: <>()[]{}/\*;:=%+^!

Leave a Reply

Your email address will not be published. Required fields are marked *