26. November 2015 02:12
Cross-site scripting or XSS is a common security exploit that allows hackers to run a malicious client side script in trusted and credible websites. When a user visits the infected website, it will automatically execute the malicious script code which can allow access to cookies, session tokens, steal accounts, spread web worms, initiate phishing attacks, or even remotely control the browser.
Types Of Cross-Site Scripting Attacks
- Stored XSS: Also known as persistent XSS or HTML injection attack, this is probably the most damaging type of XSS. It involves an attacker injecting a malicious script that is permanently stored on the target server in the form of a blog, forum post, in a comment field etc. When a user navigates to the affected web page, he inadvertently runs the script as a part of the web page.
- Reflected XSS: In a reflected XSS attack, the injected script is sent back to the web server in the form of a search result or error message. Also known as non-persistent XSS, a reflected attack is distributed to victim through an e-mail message, social networks or some other website containing a malformed URL. When the user performs the desired action, i.e. clicks on the link, submits a form or simply browse the spam URL, the code gets redirected to the vulnerable website. As the script comes from a credible server, the browser executes the code.
- DOM Based XSS: This attack involves exploiting vulnerabilities within a web page’s code. It is carried out through an inappropriate handling of the HTML data of a web page through its associated DOM (Document Object Model). The most commonly manipulated DOM objects in an XSS attack include document.referrer, document.url and location.hash elements.
Tips To Prevent Against Cross-Site Scripting
- Do not trust links in emails, message boards or other websites. They may contain malicious codes and redirect you to a spam website.
- Manually type the URL in the browser while visiting security sensitive web pages.
- Websites that require entering important personal or business information should not be accessed through a third party portal.
Cross-site scripting poses an immense threat to the online security and privacy of millions of users. Therefore, it is important for the developers to follow the recommended security practices to eliminate an attacker’s ability to infect the website with a malicious code.