What is Cross Site Scripting? How to be safe?

Cross site scripting (XSS) is a code injection attack that allows an attacker to execute malicious JavaScript in another user's browser.
Attackers do not aim directly at their victims. Instead, he exploited the vulnerability of the site visited by the victim to provide malicious JavaScript to the site. In the victim's browser, the site appears to be a legitimate part of the site, so malicious JavaScript is a conspirator of unintended attackers. These attacks can be done using HTML, JavaScript, VBScript, ActiveX, Flash, but the most commonly used XSS is malicious JavaScript.

These attacks can also collect data from hijacking accounts, changing user settings, theft / addiction or fake advertising cookies, creating DoS attacks, and so on.

Example

Let 's have a clue. I am a weak one, vulnerable web page, we have achieved metasploitable equipment. Today's measurements are the same as those of a red - haired head protrusion XSS.

First of all, we make a simple alert script

<script> alert(‘I am Vulnerable’)</script>

It will produce the following output

Types of XSS Attacks

XSS attacks are often divided into three types −

• Persistent XSS, where the malicious string originates from the website's database.

• Reflected XSS, where the malicious string originates from the victim's request.

• DOM-based XSS, where the vulnerability is in the client-side code rather than the server-side code.

In many cases, the Vulnerability Scanner detects the cross site script, so you do not have to do all the work

<script> alert('XSS')</script>

Burp Suite and acunetix are considered as the best vulnerability scanners.

Quick Tip

To prevent XSS attacks, keep the following points in mind

• Check and validate all the form fields like hidden forms, headers, cookies, query strings.

• Implement a stringent security policy. Set character limitation in the input fields.

Follow us on Facebook Click Here :)