Cross site scripting Attacks (XSS) is a client side attack and it occurs if the applications doesn’t validate external input.
There are 3 types of Cross site scripting attacks:
However, the difference between Reflected XSS and Stored XSS is that for the former one we need to form a request and trick the user to submit that request, but in the later one the malicious script is stored in DB and all users who have access to that particular DB value are affected.
Impact of Cross site scripting attack:
- A valid user session could be hijacked if the cookie attribute HTTPONLY is not set. HTTPONLY cookie attribute does not allow client side script to access cookie values.
- Website could be defaced, meaning website could be presented with unwanted textual descriptions and images.
- Malicious input stored in DB could alter the flow of the application when such data is used for processing etc.,
- Whitelist input validate data, this technique allows only trusted data to be entered into the application and avoids injection of any malicious data.
- In some cases applications are required to accept special characters and in such cases above prevention technique may not prevent cross site scripting. Hence, we may choose to output encode data which will prevent script execution(for ex: “<” is converted to “<” and “>” is converted to “>” thus it avoids execution of client side scripts).
- To prevent DOM XSS, consider to output the values into textual elements rather than html elements.Textual element such as inner.text=”value” and do not use inner.html=”value”.
there are many prevention techniques and it basically depends on the context of untrusted data utilisation. please refer to OWASP prevention cheat sheet for Cross site scripting online.