--- obj: concept wiki: https://en.wikipedia.org/wiki/Cross-site_scripting rev: 2024-05-02 --- # Cross-Site Scripting (XSS) Cross-Site Scripting (XSS) is a type of security vulnerability commonly found in web applications. It occurs when an attacker injects malicious scripts into web pages viewed by other users. These scripts can execute arbitrary code in the context of the victim's browser, leading to various attacks such as session hijacking, data theft, and website defacement. ## Types of XSS 1. **Stored XSS (Persistent XSS)**: The injected malicious script is permanently stored on the server, typically in a database or file. When other users access the affected page, the script is executed in their browsers. 2. **Reflected XSS (Non-Persistent XSS)**: The injected script is reflected off a web server, such as in a [URL](../internet/URL.md) parameter or form input, and executed in the victim's browser. The payload is not stored permanently on the server. 3. **DOM-based XSS**: The payload is executed within the Document Object Model (DOM) of the victim's browser. This type of XSS occurs entirely on the client-side and does not involve server-side vulnerabilities. ## How XSS Works 1. **Injection**: The attacker injects malicious scripts, typically JavaScript, into vulnerable input fields or parameters of a web application. 2. **Execution**: When other users access the affected page and trigger the injected payload, the malicious script executes within their browsers, allowing the attacker to steal sensitive information or perform unauthorized actions. ## Impact of XSS - **Session Hijacking**: Attackers can steal session cookies or tokens, allowing them to impersonate users and perform actions on their behalf. - **Data Theft**: XSS can be used to steal sensitive information entered by users, such as passwords, credit card numbers, or personal data. - **Website Defacement**: Attackers can modify the appearance of web pages by injecting malicious scripts, leading to brand damage and loss of trust. - **Phishing**: XSS can be used to create convincing phishing pages that trick users into revealing sensitive information. ## Prevention and Mitigation 1. **Input Validation and Output Encoding**: Validate and sanitize user input to prevent injection of malicious scripts. Encode output data to ensure that user-controlled content is treated as data, not executable code. 2. **Content Security Policy (CSP)**: Implement CSP headers to specify trusted sources from which content can be loaded, mitigating the impact of XSS attacks by restricting the execution of inline scripts and other potentially harmful content. 3. **Sanitization Libraries**: Use specialized libraries and frameworks that provide built-in protection against XSS vulnerabilities by automatically escaping user input and output. 4. **HTTPOnly and Secure Flags**: Set the HTTPOnly and Secure flags on session cookies to prevent them from being accessed by client-side scripts and transmitted over unsecured connections. 5. **Regular Security Audits**: Conduct regular security audits and penetration testing to identify and remediate XSS vulnerabilities in web applications.