XSS (Cross-Site Scripting)

Cross-Site Scripting (XSS) is one of the most common vulnerabilities in web applications. Unlike SQL injection, XSS does not attack the server but uses the victim’s browser as a tool for the attack.

Types of XSS

Reflected XSS: The malicious code is part of the HTTP request (e.g., URL parameters) and is immediately reflected in the response. Requires the victim to click on a specially crafted link.

Stored XSS: The malicious code is permanently stored in the database (e.g., in comment fields, user profiles) and executed every time other users visit the page. Particularly dangerous.

DOM-based XSS: The attack occurs entirely on the client side, with JavaScript manipulating the DOM based on unvalidated user input. Not visible in the HTTP response, making it harder to detect.

Impact

• Session Hijacking: Stealing session cookies → Account takeover
• Credential Harvesting: Fake login forms within the context of the real website
• Malware Distribution: Drive-by downloads via XSS
• Keylogging: Recording of keystrokes
• CSRF Bypass: XSS can steal CSRF tokens

Mitigation Measures

• Output Encoding: All user data must be context-dependently escaped (HTML entities, JS encoding)
• Content Security Policy (CSP): HTTP header that blocks inline JavaScript and unknown script sources
• Sanitization: Before storing in the database
• HttpOnly and Secure Cookies: Prevents JavaScript access to session cookies
• Modern Frontend Frameworks: React, Angular, and Vue escape by default when used correctly