What is Cross Site Scripting or XSS?

Cross-site scripting or XSS is about malicious JavaScript routines embedded in hyperlinks, which are used to hijack sessions, hijack ads in applications and steal personal information. Cross-site scripting (XSS) is a computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side scripts into web pages viewed by other users.

With improvements in web development technologies, today’s websites are more complex, interactive, and can perform various tasks; all of this was achieved by complex web-based applications. Web-based applications are on route to replacing traditional desktop applications in the next few years. With these developments came the perils of XSS.

Today dynamic websites face threats that were previously unknown to static websites. Dynamic websites can deliver different content to visitors depending upon their input. This transfer of data makes a website or web-based application vulnerable to XSS. The websites that accept data from users have to save them somewhere. If they use cookies to store that data, the cookies can be stolen by an attacker.

There are two major types of Cross-site scripting; persistent and no persistent.

Persistent XSS

Persistent XSS is also known as stored XSS Vulnerability and is considered the more dangerous form of cross-site scripting. In constant cross-site scripting, the attacker posts the malicious code (what is a botnet?) to the server. The user initiates the session with the server. When the server sends back the HTTP response, the code is embedded with this response and is displayed permanently on standard web pages.

Non Persistent XSS

A non-persistent XSS vulnerability is the most common. This happens when the user sends a request to the server. The server immediately accepts the requests and sends back the results on the page without adequately sanitizing the HTML.

Attackers can use an exploited cross-site scripting vulnerability to bypass access controls like the same-origin policy. According to Symantec Corporation XSS, attacks make up 80% of all the attacks carried out against websites and web-based applications. The impact of that attack may range from a trivial irritation to a significant security risk, depending on the sensitivity of the data stored on the vulnerable site and the nature of any security mitigations implemented by the site’s owner. XSS or Cross-Site Scripting is the other major vulnerability that dominates the web hacking landscape and is an exceptionally tricky customer which seems particularly difficult to stop. Microsoft, MySpace, and Google all have had problems with XSS vulnerabilities.

How to avoid XSS attacks

Cross-site scripting (XSS) attacks exploit vulnerabilities in Web page validation by injecting client-side script code. Common vulnerabilities that make your Web applications susceptible to cross-site scripting attacks include failing to properly validate input, failing to encode output, and trusting the data retrieved from a shared database. To protect your application against cross-site scripting attacks, assume that all information is malicious. Constrain and validate all input. Encode all output that could potentially include HTML characters. This includes data read from files and databases.