Cross-site scripting attacks is commonly known as XSS, are a type of attack in which malicious scripts are injected into the websites or web applications and run on an end user’s browser. XSS attacks are a common and widespread type of attack, using unsanitized or unvalidated rogue user inputs, aimed at the generated output on execution.
At its most basic, an XSS attack involves an attacker entering malicious code into a web input form or a web app URL to trick the application into doing something which they are not supposed to do. Suppose we have a web application containing the search bar for searching the web and instead you enter with script tag:
<script>alert;("I am vulnerable to XSS attack!")</script>
You click enter and see a alert pop-up message that says, “I am vulnerable to XSS attack!” Now you know that its vulnerable and the gates are wide open for you to get in.
What are the consequences of cross-site scripting (XSS) attacks?
Cross-site scripting attacks, regardless of its type, lead to the same set of consequences. The difference in the attack vector affects only the way of delivery methods.
Severe XSS attacks can result in the user’s session cookie being disclosed, which will allow an attacker to take over the user’s account and hijack their session. There can also lead to the disclosure of user’s files, installing of malware, unexpected site redirection, and content presentation modification. XSS attacks can also lead to compromise of sensitive data, and theft of confidential or trade secrets.
XSS attacks can allow attackers to modify the contents, allowing them to create falsified information that can impact or harm the target individuals; this is known as content spoofing.
What Are the Types of Cross-Site Scripting Attacks?
XSS exploits can take a number of forms, which makes them very difficult for website users to detect. Let’s take a look of different types of XSS attacks.
Stored (persistent) XSS
Stored or persistent XSS attacks occur when the malicious scripts are permanently stored on the compromised server(s); this can occur in a database, on a message board, in comment fields, or on other user text input pages. Victims receive a malicious script when the information is requested from the server. This is one of the most dangerous as well as most commonly employed type of cross-site scripting.
A reflected attack occurs when the malicious script is not stored on the server but is included in the data sent to the server from a website’s search or contact form. Errors messages and search results are two commonly used medium.
These attacks are often delivered to the target via an email or on another site, often by tricking the target into choosing a link containing the malicious script or through user submitting the malicious form. The malicious code then reflects to the user’s browser. This reflection causes the browser to believe that the script is trustworthy and prompts the browser to execute the script.
DOM based attacks