Introduction

Cross Site Scripting (XSS) attacks are a form of code injection attacks. It involves injection of HTML tags into user fields provided by websites which are then sent to a user’s web browser. In the browser, Javascript is executed and used to transfer sensitive data to the attacker.

XSS tops the top 10 vulnerabilities list by Open Web Application Security Project (OWASP). Most modern web sites such as social networking sites and blogging sites allow users to post content in the form of posts, comments, scraps etc. If this content published by users contains Javascript, then visitors to the site can be exposed to cross-site scripting (XSS) attack.

The three types of XSS attacks are DOM based XSS attacks, Reflective XSS attacks and Stored XSS attacks. DOM based XSS attacks occur when JavaScript uses input data or data from the server to write dynamic HTML (DOM) elements. In Reflective XSS attacks, code is reflected back to victim. A user is tricked into clicking on a malicious link or submitting a specially crafted form, the injected code travels to the vulnerable web server, which reflects the attack back to the user’s browser. Stored XSS attacks (also known as persistent attacks) are those where the scripts are permanently stored on the target servers, e.g. in a database. It is called persistent because it will occur till the message containing malicious script is not deleted. Examples include blogs or forums where users can post content that will be displayed to other users.

The video cannot be shown at the moment. Please try again later.

 

Comments are closed.

This site is protected with Urban Giraffe's plugin 'HTML Purified' and Edward Z. Yang's Powered by HTML Purifier. 50588 items have been purified.