Archives
- Newer posts
- November 2024
- April 2024
- November 2023
- October 2023
- August 2023
- May 2023
- February 2023
- October 2022
- August 2022
- July 2022
- May 2022
- April 2022
- March 2022
- February 2022
- June 2020
- March 2020
- February 2020
- January 2020
- December 2019
- November 2019
- October 2019
- September 2019
- August 2019
- July 2019
- June 2019
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019
- December 2018
- November 2018
- October 2018
- September 2018
- August 2018
- July 2018
- June 2018
- May 2018
- April 2018
- March 2018
- February 2018
- January 2018
- December 2017
- November 2017
- October 2017
- September 2017
- August 2017
- July 2017
- June 2017
- May 2017
- April 2017
- March 2017
- February 2017
- January 2017
- August 2016
- June 2016
- April 2016
- March 2016
- February 2016
- January 2016
- July 2015
- June 2015
- Older posts
Cross-site scripting
Cross-site scripting (XSS) is a type of injection attack in which an attacker exploits vulnerabilities in a website to attack the users of the website. In cross-site scripting, the hacker includes malicious code in the website’s input source or URL links. This malicious code then executes itself without the knowledge of the user.
There are three main types of cross-site scripting attacks:
1. Reflected: in a reflected cross-site scripting attack, malicious code is sent as an input to a server, the server then reflects the code back to a user’s browser and then executes it on the page. This can happen when a user clicks a malicious link or opens an infected email. This is a common trick in phishing attacks where an attacker tricks a victim into clicking a link to a trusted domain which contains injected scripts with the links as a parameter.
2. DOM-based: in this type of attack, the malicious code is injected into the DOM on a website typically through an element like a text input box or a parameter in the URL. DOM based attack does not modify the server response but modifies the client side code.
3. Stored attack: both reflected and DOM-based XSS attacks rely on user’s clicking the link to execute the malicious code but stored attack works in a different fashion. In a Stored XSS attack, a hacker injects malicious code on a website through a data input. The hacker usually targets the data that is being stored in the database. When this data is requested by another user, the injected code will execute in that user’s browser
XSS can be combined with other attacks which can do damage like session hijacking, scraping sensitive information, posting data on someone else’s behalf, malicious redirecting, social engineering, etc.
So how do you protect your website application from XSS attacks?
There are many ways to do this, some of which are:
• One of the ways is to stop users from entering certain characters like “<” or “>” or store these signs as “>” or “<” in the database rather than storing it as a symbol itself.
• Server side validations such as api sanitization and characters escaping should be implemented.
• In case of WordPress plugins, make sure that the plugin is not vulnerable to XSS attacks. Special care should be taken when any plugin adds customized code in the header or footer.
• reCAPTCHA should be used wherever possible to limit bots from executing scripts.
