Cross-Site Scripting

Cross site scripting (XSS) occurs when a user injects malicious script into an otherwise trusted website. The malicious script will then run on the victim’s web browser, often in an attempt to steal user information such as credentials, session cookies and other sensitive data. Anywhere that allows user input can be vulnerable to an XSS attack. To avoid these attacks a web developer must ensure that user input is validated and encoded before it outputs this as a request. Despite being discovered in the 1990s cross-site scripting has consistently remained as one of OWASPs top 10 web application security risks.  

There are 3 types of cross site scripting. 

• Reflected XSS- When an injection from one request is immediately returned as part of the HTML response.  
• Stored XSS - Arises where the injected is a script that is permanently stored on a website. Examples of where this could be stored is in a comment field or blog post. When another user then tries to visit the page where the injection is stored the malicious script runs on their browser. Stored XSS compromises every user that visits the page. 
• DOM based XSS - This is where the XSS vulnerability appears in the DOM (document object model) rather than the HTML (HTTP response.).  Unlike stored and reflected the page does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment. 

In order to prevent XSS vulnerabilities use frameworks that escape XSS by design, use context based encoding, escape untrusted HTTP request data and enable a content security policy. 

What is the difference between XSS and CSRF? 

A cross site scripting vulnerability abuses the trust a user has for a website whereas a CSRF vulnerability abuse the trust a website has for a user. Cross-site scripting is one of the most common web vulnerabilities and can lead to phishing attacks, website defacement, session hijacking and installation of malware on a victim’s computer.