Cross site scripting or XSS is about malicious JavaScript routines embedded in hyperlinks, which are used to hijack sessions, hijack ads in applications and steal personal information. Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users.
With improvements in web development technologies, today websites are more complex, interactive and can perform a variety of tasks; all of this was achieved by complex web based applications. In fact web based applications are on route to replacing traditional desktop applications in the next few years. With these developments came the perils of XSS.
Today dynamic websites face threats that were previously unknown to the static websites. Dynamic websites have the ability to deliver different content to visitors depending upon the input that they give. It is this transfer of data that makes a website or web based application vulnerable to XSS. The websites that accept data from users have to save them somewhere, if they are using cookies to store that data, the cookies can be stolen by an attacker.
There are two major types of Cross site scripting; persistent and no persistent.
Persistent XSS
Persistent XSS is also known as stored XSS Vulnerability and is considered the more dangerous form of cross site scripting. In persistent cross site scripting the attacker posts the malicious code (what is a botnet?) to the server. The user initiates the session with the server, when the server sends back the HTTP response the code is embedded with this response and is displayed permanently on normal web pages.
Non Persistent XSS
Non persistent XSS vulnerability is the most common. This happens when the user sends a request to the server. The server immediately accepts the requests and sends back the results in the page without properly sanitizing the HTML.
An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. According to Symantec Corporation XSS, attacks make up 80% of all the attacks carried against the websites and web based applications. The impact of that attack may range from a trivial irritation to a momentous security risk, depending on the sensitivity of the data stored on the vulnerable site, and the nature of any security mitigations implemented by the site's owner. Xss or Cross Site Scripting is the other major vulnerability which dominates the web hacking landscape, and is an exceptionally tricky customer which seems particularly difficult to stop. Microsoft, MySpace and Google all have had problems with XSS vulnerabilities.
How to avoid XSS attacks
Cross-site scripting (XSS) attacks exploit vulnerabilities in Web page validation by injecting client-side script code. Common vulnerabilities that make your Web applications susceptible to cross-site scripting attacks include failing to properly validate input, failing to encode output, and trusting the data retrieved from a shared database. To protect your application against cross-site scripting attacks, assume that all input is malicious. Constrain and validate all input. Encode all output that could, potentially, include HTML characters. This includes data read from files and databases.