Cross Site Scripting OR XSS:
Cross site scripting, commonly known as XSS is still one of the major attack which targets majorly IT and Finance companies. Report which is related to web application attacks, states that the attack which occurs at highest percentage on web applications is cross site scripting and it’s relative percentage is nearly 35.1%. According to research of Precise security, online cyber attacks in 2019 with cross-site scripting used in 40 percent of incidents hit around three quarters of large companies in Europe and North America
What is Cross-site Scripting (XSS)?
Is Cross-Site Scripting the problem of users?
The combination of the above attacks the attackers can perform advanced attacks like cookie stealing or session stealing, planting trojans, keylogging, social engineering and many more. Hence, the XSS vulnerability allows an attacker to perform a massive affecting attack on one or many victims. XSS vulnerability can also be allowed to perform CSRF (Cross-Site Request Forgery) attack by an attacker.
How Cross-Site Scripting works ?
There are two stages of Cross-site Scripting attack:
⦁ After that attack the victim will visit the web page with malicious code injected into that page. Not only this, if the attack is targeted at a single victim the attacker can send the victim a malicious URL to infect.
Types of Cross-site Scripting (XSS)
The Cross-Site Script (XSS) attacks are classified into three vectors. Such as
i) Stored/persistent XSS,
ii) Reflected/non-persistent XSS,
iii) DOM-based XSS.
i) Stored/persistent XSS
ii) Reflected/non-persistent XSS
iii) DOM Based Cross site scripting :
var search = document.getElementById(‘search’).value;
var results = document.getElementById(‘results’);
results.innerHTML = ‘You searched for: ‘ + search;
If the value of the input field can be controlled by an attacker, they can easily construct a malicious value that causes own script developed by them to execute:
You searched for:
<img src=1 onerror=’/* Bad stuff here… */’>
In an usual case, part of the HTTP request would populate input field , such as a URL query string parameter, which allows the attacker to deliver an attack using a malicious URL, same as reflected XSS.
Test to find whether Your Website or Web Application is Vulnerable to Cross-site Scripting :
one of the most common web application vulnerabilities are cross site scripting. The OWASP organization (Open Web Application Security Project) lists XSS vulnerabilities in their OWASP Top 10 vulnerabilities document
It’s comparatively easy to check if your website or web application is vulnerable to XSS and other vulnerabilities. There are different web scanning tools you can use like Acunetix scanner which scans vulnerabilities and having specialized XSS scanner in it. You can also use nessus, nikto scanner, Burp Suite’s web vulnerability scanner can also find XSS vulnerabilities quickly and reliably
How to secure yourself from Cross site scripting (XSS) ?
Preventing cross-site scripting is important in few cases but can be comparatively harder which is decided on the complexity of the application and the ways in which user-controllable data is handled by it.
Also, there are multiple ethical hacking institutes in pune which work in real world to patch these vulnerabilities so you can choose any ethical hacking institute or any one of the top mentor who work on these vulnerabilities to get clear idea about how to prevent this practically.