In cross site scripting attack, the attacker gains the ability to see private user IDs, Password, credit card information and many more informations.
Cookie Stealing and Session Overriding is an example of Cross Site Scripting
There are three type of XSS Vulnerabilties
Is also known as Type 1 or reflected XSS, malicious code is executed by the victim’s browser, and the payload is not stored anywhere; instead, it is returned as part of the response HTML that the server sends. Therefore, the victim is being tricked into sending malicious code to the vulnerable web application, which is then reflected back to the victim’s browser where the XSS payload executes.
A Type 2 or Persistent XSS attack is possible when a website or web application stores user input and later serves it to other users. An application is vulnerable if it does not validate user input before storing content and embedding it into HTML response pages. Attackers use vulnerable web pages to inject malicious code and have it stored on the web server for later use. The payload is automatically served to users who browse web pages and executed in their context. Thus, the victims do not need to click on a malicious link to run the payload (as in the case of Non-Persistent XSS). All they have to do is visit a vulnerable web page.
This could lead to cookie stealing and session overriding or even allow access to the client operating system.
When a client-side script is executed, it can use the DOM of the HTML page where the script runs. The script can access various properties of the page and change their values.
Cross Site Scripting Attack can be used for:
Impersonate or masquerade as the victim user.
Carry out any action that the user is able to perform.
Read any data that the user is able to access.
Capture the user's login credentials.
Perform virtual defacement of the web site.
Inject trojan functionality into the web site.
How to avoid Cross Site Scripting Attacks
Preventing cross-site scripting is trivial in some cases but can be much harder depending on the complexity of the application and the ways it handles user-controllable data.
In general, effectively preventing XSS vulnerabilities is likely to involve a combination of the following measures:
Filter input on arrival. At the point where user input is received, filter as strictly as possible based on what is expected or valid input.
Content Security Policy. As a last line of defense, you can use Content Security Policy (CSP) to reduce the severity of any XSS vulnerabilities that still occur.
Cross – zone Scripting
Http Header injection
Http response Splitting
Cross –site request forgery (CSRF/XSRF)
Best learning portal that provides you great learning experience of various technologies with modern compilation tools and technique
Don't hesitate to give us a call or send us a contact form message