Cross-site scripting (XSS) is a type of injection attack in which an attacker exploits vulnerabilities in a website to attack the users of the website. In cross-site scripting, the hacker includes malicious code in the website’s input source or URL links. This malicious code then executes itself without the knowledge of the user.
There are three main types of cross-site scripting attacks:
1. Reflected: in a reflected cross-site scripting attack, malicious code is sent as an input to a server, the server then reflects the code back to a user’s browser and then executes it on the page. This can happen when a user clicks a malicious link or opens an infected email. This is a common trick in phishing attacks where an attacker tricks a victim into clicking a link to a trusted domain which contains injected scripts with the links as a parameter.
2. DOM-based: in this type of attack, the malicious code is injected into the DOM on a website typically through an element like a text input box or a parameter in the URL. DOM based attack does not modify the server response but modifies the client side code.
3. Stored attack: both reflected and DOM-based XSS attacks rely on user’s clicking the link to execute the malicious code but stored attack works in a different fashion. In a Stored XSS attack, a hacker injects malicious code on a website through a data input. The hacker usually targets the data that is being stored in the database. When this data is requested by another user, the injected code will execute in that user’s browser
XSS can be combined with other attacks which can do damage like session hijacking, scraping sensitive information, posting data on someone else’s behalf, malicious redirecting, social engineering, etc.
So how do you protect your website application from XSS attacks?
There are many ways to do this, some of which are:
• One of the ways is to stop users from entering certain characters like “<” or “>” or store these signs as “>” or “<” in the database rather than storing it as a symbol itself.
• Server side validations such as api sanitization and characters escaping should be implemented.
• In case of WordPress plugins, make sure that the plugin is not vulnerable to XSS attacks. Special care should be taken when any plugin adds customized code in the header or footer.
• reCAPTCHA should be used wherever possible to limit bots from executing scripts.