Cross Site Scripting (XSS) Attack
Insecure development can ruin many users life.
What is Cross site scripting(XSS) attack ?
XSS attack is a technique to trap the common users who usually visit the various websites. This is possible because of xss vulnerabilities in the particular web application. It allows an attacker to inject malicious code into a website in such a way that the browser of the user who visits the site executes this code.
For example, there’s a website who take users’ input without any validation means one user can insert anything(including special characters) as an input. So, attacker can inject any malicious script as a user input and it would be executed by browser.
Types of XSS Attack
1. Reflected XSS
2. Stored XSS
3. DOM based XSS
Reflected XSS targets an individual users and social engineering plays an important role in this type of attack.
Reflected XSS attack takes place when a user clicks on a malicious link manipulated by an attacker. These vulnerabilities appear when the data provided by the web client,is executed directly by server for parsing and displaying the results page for this client, without proper processing.
Let’s do it practically by injecting a simple script <script>alert(“XSS Attack”)</script> as an user input.
Here you can see no validation has applied and nothing is stored by server.It just process the user input and reflect back the result to user.
Now in case of Stored XSS, multiple users will be the targets. Stored XSS takes place where users’ input are stored on server. So, if an attacker injects a malicious script it would be stored on that vulnerable website’s server. And whenever the other users visit that particular web page, each time this malicious script will be executed by their browsers.
This web page allows users to insert some message and it will be stored in database. As you can see database update queries, which is not use in case of reflected.
Hope the basic concept of XSS attack is clear to you I will explain DOM based XSS in next post.