KIM COMPUTER

XSS (Cross-Site Scripting)

XSS (Cross-Site Scripting) is a major web vulnerability where an attacker injects malicious client-side scripts (usually JavaScript) into a web application, causing that script to be executed in the browsers of other users who visit the site.

The primary goal of an XSS attack is session hijacking.

1. How the Attack Works (Session Hijacking)

  1. Script Injection: An attacker inputs malicious JavaScript code into an input field (e.g., a comment section, username field, or URL parameter).
  2. Storage or Reflection: The unfiltered malicious code is either stored on the server (Stored XSS) or immediately included in the server's response (Reflected XSS).
  3. Browser Execution: When a victim visits the compromised page, their browser trusts and executes the code sent in the server's response.
  4. Session Theft: The executed script reads the victim's sensitive information, such as the authentication cookie (session token), and sends it to the attacker's server.

2. Main Types of XSS Attacks

Type Description Risk Level
Stored XSS (Persistent) The malicious script is permanently stored on the target server (e.g., in a database field for blog comments). Most dangerous. High
Reflected XSS The script is reflected off a web application after being submitted via a URL parameter (e.g., a search result page). Not persistent. Medium
DOM-based XSS The script payload is executed entirely on the client-side within the victim's browser, without necessarily interacting with the server. Medium

3. XSS Defense Strategies (Developer Perspective)

The core defense against XSS is never trusting user input.

  1. Output Encoding (Contextual Encoding): When data is outputted to the browser, special characters (<, >) should be converted into their HTML entity equivalents (e.g., &lt;, &gt;) so the browser displays them as pure text instead of executing them as code. This is the most fundamental defense.
  2. Input Validation: Strict checking of input at the submission stage to filter out dangerous characters or patterns (<script>, javascript:).
  3. CSP (Content Security Policy): Configuring a browser policy that explicitly instructs the browser to only execute scripts from trusted sources, preventing the execution of inline or unauthorized external scripts.