If you are into the hacking techniques, you sure must have heard of this popular terminology XSS (Cross-Site Scripting). This is one of the techniques rather a vulnerability in which an attacker/hacker can input something (harmful mostly) which is sent to unsuspecting victims.
What follows below will get you up to speed on the fundamental concept in just a few paragraphs.
What is XSS
Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can execute malicious scripts (also commonly referred to as a malicious payload) into a legitimate website or web application.
XSS is amongst the most rampant of web application vulnerabilities and occurs when a web application makes use of unvalidated or unencoded user input within the output it generates.
In XSS, an attacker does not target a victim directly. Instead, an attacker would exploit a vulnerability within a website or web application that the victim would visit, essentially using the vulnerable website as a vehicle to deliver a malicious script to the victim’s browser.
How XSS works
In order for an XSS attack to take place the vulnerable website needs to directly include user input in its pages. An attacker can then insert a string that will be used within the web page and treated as code by the victim’s browser.
- Cookie theft: The attacker can access the victim’s cookies associated with the website
- Phishing: The attacker can insert a fake login form into the page using DOM manipulation, set the form’s action attribute to target his own server, and then trick the user into submitting sensitive information.
Types of XSS
- Persistent XSS: where the malicious string originates from the website’s database.
- Reflected XSS: where the malicious string originates from the victim’s request.
- DOM-based XSS: where the vulnerability is in the client-side code rather than the server-side code.