Browsing opens you up to a whole new world of data and opportunities. However, visiting different websites comes with unseen risks. Your browser has no way of telling whether script in the site is trustworthy. As a result, many people become victims of malicious scripts through cross-site scripting. Therefore Cross-site scripting refers to the injection of malware into your trusted website. Hackers cannot approach you directly; hence they depend on the vulnerabilities of the sites you visit to deliver the malware.
The Same Origin Policy
Usually, browsers are protected by the same origin policy which ensures scripts from different website origins do not interact. But since the browsers cannot recognize attacker-controlled markups, it executes received text regardless of the source. The attacker is thus able to inject the malware into the browser of a web user. It also allows the hacker to steal your session cookies thus impersonating you. From this, they can deface a website, phish for your credentials, cause social networking havocs, carry out social engineering techniques allowing more attacks and spread outs.
Types XSS
XSS delivery takes various language forms such as Java, HTML, flash, and Ajax. Their executions are, however, divided into three major groups.
Stored XSS
As the name suggests, injected scripts become permanent on the visited web. This attack is the most dangerous cross-site scripting. When the user visits a website, the attacker gains access to their data. The unaware user will browse through the site and their details become available to the attacker. Stored XSS doesn’t require the user to click on any links, accessing the compromised site is sufficient. Stored XSS is quite challenging to execute, but their damages run deeper.
Reflected
In this case, malicious content from the visited site ends up reflecting on one’s browser. It comes in the form of a link, and it requires the user to click on the link to execute the code. Once you visit the unsecured site, the attacker can deliver their payload script to your browser HTTP request. Whiles persistent XSS requires just a visit to the website; reflected XSS has to carry the malware payload to each victim. This attack is the most common, but people are becoming more aware and avoid clicking on pop up links and other social engineering methods used to lure them.
DOM-Based
DOM-based scripting attaches the payload to the document object model unlike stored and reflected XSS that attach the codes to the HTML. It is a threat to over 50 percent of the sites for one simple reason. The traditional server-side filters cannot detect DOMs. Hash was adopted by JavaScript developers to keep track of malware in Ajax pages. The codes appearing after the hash do not get sent to the server, and thus the servers side protection filters cannot work for DOM-based XSS.
Preventing XSS
There are two primary method methods fighting XSS attacks.
The first is the use of side filters. For instance, if one of your clients submits a form, you must run it through an external filter. Some of the filters employed by developers are PHP and ASP. They track and remove dangerous keywords such as