What is Cross-site Scripting (XSS) and it’s types

If you are into the hacking techniques, you sure must have heard of this popular terminology XSS (Cross-Site Scripting). This is one of the techniques rather a vulnerability in which an attacker/hacker can input something (harmful mostly) which is sent to unsuspecting victims.

What follows below will get you up to speed on the fundamental concept in just a few paragraphs.

What is XSS

Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can execute malicious scripts (also commonly referred to as a malicious payload) into a legitimate website or web application.

XSS is amongst the most rampant of web application vulnerabilities and occurs when a web application makes use of unvalidated or unencoded user input within the output it generates.

In XSS, an attacker does not target a victim directly. Instead, an attacker would exploit a vulnerability within a website or web application that the victim would visit, essentially using the vulnerable website as a vehicle to deliver a malicious script to the victim’s browser.

How XSS works

In order to run malicious JavaScript code in a victim’s browser, an attacker must first find a way to inject a payload into a web page that the victim visits. Of course, an attacker could use social engineering techniques to convince a user to visit a vulnerable page with an injected JavaScript payload.

In order for an XSS attack to take place the vulnerable website needs to directly include user input in its pages. An attacker can then insert a string that will be used within the web page and treated as code by the victim’s browser.

The consequences of malicious JavaScript

  • Cookie theft: The attacker can access the victim’s cookies associated with the website
  • Keylogging: The attacker can register a keyboard event listener using javascript and then send all of the user’s keystrokes to his own server, potentially recording sensitive information such as passwords and credit card numbers.
  • Phishing: The attacker can insert a fake login form into the page using DOM manipulation, set the form’s action attribute to target his own server, and then trick the user into submitting sensitive information.

Types of XSS

While the goal of an XSS attack is always to execute malicious JavaScript in the victim’s browser, there are few fundamentally different ways of achieving that goal. XSS attacks are often divided into three types:

  • Persistent XSS: where the malicious string originates from the website’s database.
  • Reflected XSS: where the malicious string originates from the victim’s request.
  • DOM-based XSS: where the vulnerability is in the client-side code rather than the server-side code.