Cross-Site Scripting (XSS)
It’s is important to note that XSS attacks only expose user information on the website that’s compromised and doesn’t affect other websites. For example, suppose there’s an XSS script on “youtube.com”. It will give hackers access to all of user’s data on Microsoft but not on other sites like “hbomax.com” or “disney.com”, etc.
How does XSS Work?
Types of XSS
There are three main types of XSS attacks:
- Stored XSS
- Reflected XSS
- DOM-based XSS
1. Stored XSS
In Stored XSS attacks, the malicious script is injected into a website and is stored on target servers. The users get this script without even knowing when they access the page. The example we saw above describes Stored XSS attack.
2. Reflected XSS
In Reflected XSS attacks, the victim is tricked into opening a link with malicious code that the vulnerable websites executes. For examples:
If the user visits the URL sent by hacker and the website has XSS vulnerability, the hacker’s script will execute in user’s browsers and has full access to everything on the site that user has access to.
3. DOM-based XSS
var firstName = document.getElementById('fname').value var lastName = document.getElementById('lname').value var name = document.getElementById('fullName'); name.innerHTML = 'Your name is ' + firstName + ' ' + lastName;
An attacker can easily run malicious code to run their own script:
Your name is <script>DoSomethingBad</script>
How to protect against XSS
XSS attacks only work if the website doesn’t validate its input. For large websites, it can be quite a big undertaking to find and resolve all XSS vulnerabilities. To prevent XSS, it’s a combination of the following methods:
- Use the
- Use Content Security Policy .
(C) 2021 CodeAhoy.com. You can use the material on your site but you must link back to this page.