Cross-Site Scripting (XSS)
Cross-site scripting, commonly abbreviated as “XSS,” is a client-side web application attack used by malicious actors to gain access to private information stored in or entered into a web application or website. XSS, categorized by OWSAP as a “Top 10” attack, can be executed when an attacker injects malicious code into a vulnerable application or website by taking advantage of improperly validated code in the scripting language used to develop the website or app. Cross-site scripting is executed when an attacker manipulates a user’s form inputs.
Despite the prevalence of XSS, many websites and applications still do not properly validate user input, meaning that the browser can’t differentiate valid markup text from injected markup. This allows the attacker to inject malicious commands that can result in unauthorized access of account credentials, cookies, session tokens, or other sensitive information retained by the browser. An attacker can also send phony HTTP requests or leverage HTML5 APIs, allowing the attacker to access a device’s geolocation services, webcam, microphone, or file information; hijack an account; remotely control the browser; view browser history; or rewrite contents of an HTML page.
XSS targets the user rather than the application or website, generally requiring some user action (like filling out a form) to trigger the exploit. JavaScript is the most regularly exploited scripting language.
The two most common forms of XSS are:
- Stored/Persistent attacks
- Reflected/Non-persistent attack
Get the DeMISTIfying InfoSec newsletter every Tuesday!
