Cross-Site Scripting (XSS) - Types and Prevention
About 2 min read
Cross-site scripting (XSS) is an attack technique that injects malicious scripts into web pages. JavaScript planted by an attacker runs in the victim's browser, leading to cookie theft, session hijacking, redirects to phishing pages, and more. In the 2024 OWASP Top 10 it ranks high as a type of injection attack, and it is one of the most common vulnerabilities in web applications.
Real-World Use Cases
"The input values from the contact form were not sanitized, and we found a stored XSS vulnerability. When the inquiry content was displayed in the admin panel, the script executed and the administrator's session cookie was being sent to an external server."
The Flow of an XSS Attack
Types of XSS
Reflected XSS is a type in which a script contained in a URL parameter is reflected directly into the page. Stored XSS is a type in which a script saved in the database is displayed to other users; bulletin boards and the comment sections of social media are frequent targets, and it causes more serious damage. DOM-based XSS is a type that originates from client-side JavaScript processing and is difficult to detect because it does not pass through the server.XSS and web security books on Amazon offer in-depth learning.
Concrete Damage Scenarios
A common misconception is that "XSS is a minor attack that only changes the appearance." In reality, serious attacks are possible, such as using stored XSS to embed a malicious script in the product review section of an e-commerce site and steal the session cookies of every user who views the review. With the stolen cookies, the attacker can purchase products using the victim's account or change their registered information. Techniques that combine it with phishing to display a fake login form on a legitimate site have also been observed.
Countermeasures as a User
The basics are to keep your browser up to date and not click on suspicious links. By using a unique random password for each service, you can prevent damage from spreading to other services even if a session is hijacked through an XSS attack. Restricting JavaScript execution with a browser extension is also an effective countermeasure.browser security books (Amazon) are also helpful references.
Was this article helpful?