Helping Information

What is XSS attack (Cross-Site Scripting)?

What is XSS Attack (Cross-Site Scripting)?
What is XSS (Cross-Site Scripting)?


Cross-Site Scripting (XSS) what is XSS attack is a kind of injection, during which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses an internet application to send malicious code, generally within the sort of a browser side script, to a special end-user. Loopholes that allow these attacks to succeed are quite common and occur anywhere an internet application uses input from a user within the output it gives rise without validating or encoding it.
What is XSS Attack? An attacker can use XSS (Cross-Site Scripting) to send a malicious script to an unsuspecting user. the top user’s browser has no thanks to knowing that the script shouldn’t be trusted, and can execute the script. Because it thinks the script originated from a known source, the malicious script can obtain any cookies, session tokens, or other delicate information kept by the browser and used thereupon site. These scripts can even manipulate the content of the HTML page. For more details on the various sorts of XSS flaws, see sorts of Cross-Site Scripting OWASP Top 10.

XSS may be a very commonly exploited vulnerability type which is extremely widely spread and simply detectable and also it’s one among the important vulnerability in OWASP TOP 10.

XSS Image
Typical XSS Attack.

What is XSS Attack( Cross-Site Scripting )?

When do we ask? What is XSS Attack? Most of the people don’t know what is XSS Attack actually about and also what is OWASP Top 10 Vulnerabilities. This is the one type of vulnerability which allows an attacker to compromise the interaction that the user has with a vulnerable application. Cross-site scripting works by manipulating a vulnerable web site so that it returns malicious JavaScript to users. When the malicious code executes inside a victim’s browser, the attacker can fully compromise their interaction with the application.

An attacker can inject untrusted code of JavaScript into your application without validation. This JavaScript code is then executed by the victim who is visiting the target site. What is XSS Attack and It’s further classified into three types.

  • Reflected XSS
  • Stored XSS
  • DOM-Based XSS

In Reflected XSS, an attacker sends the victim a link to the target application through email, social media, WhatsApp media, etc. This link features a script embedded within it which executes when visiting the target site.

In Stored XSS, the attacker is in a position to plant a persistent script within the target website which can execute when anyone visits it.

Here is a simple example of a stored XSS vulnerability. A message board application lets users submit messages, which are displayed to other users:

<p>Hello, this is my message!</p>

The application doesn’t perform any other processing of the data, so an attacker can easily send a message that attacks other users:

<p><script>/* Bad stuff here... */</script></p>

With DOM Based XSS, no HTTP request is required, the script is injected as a result of modifying the DOM of the target site within the client-side code within the victim’s browser and is then executed.

Potential risks about Cross-Site Scripting OWASP Top 10

The attacker can compromise or take over the victim’s user account within the application. they might retrieve data from the target web application, modify content on the target page, redirect the victim to a different malicious or spoof site, or use it as a platform to put in other malware on the victim’s system.

The consequences of any of the above can seriously impact your ability to conduct business, your customers, and your organization’s reputation.

Defences against Cross-Site Scripting

  • What input can we trust?
  • Does it adhere to expected patterns?
  • Never simply reflect untrusted data.
  • Applies to data within our database too.
  • Encoding of context(Java/attribute/HTML/CSS).

Check out our other post here.

Leave a Reply

Your email address will not be published. Required fields are marked *