Cross-Site Scripting (XSS)

• Injects a malicious script into a trusted site to compromise the site’s visitors
• The goal is to have visitors run a malicious script so your system will process it, bypassing the normal security mechanisms
• Mitigate the threat with proper input validation

Four steps to an XSS attack

• The attacker identifies an input validation vulnerability within a trusted website
• The attacker crafts a URL to perform a code injection against the trusted website
• The trusted site will return a page containing the malicious code injected
• The malicious code runs in the client’s browser with permission level as the trusted site

Functions of an XSS Attack

• Defacing the trusted website
• Stealing the user’s data
• Intercepting data or communications

Types of XSS Attacks

Non-Persistent XSS

• An XSS attack that only occurs when it is launched and only happens once
• Server executes the attack (Server-side scripting attack)

Persistent XSS

• Allows an attacker to insert code into a backend database used by that trusted website
• Server executes the attack (Server-side scripting attack)