When you visit a website, your browser develops a trust relationship with that website. Josh Pauli, in The Basics of Web Hacking, 2013 Cross-Site Scripting (XSS) VulnerabilitiesĬross-site scripting (XSS) is the more widespread vulnerability in web applications today, but it is often times dismissed as nothing more than a silly JavaScript pop-up window. This is a 1:many hacker to victim ratio.īoth flavors of XSS have the same payloads they are just delivered in different ways. As legitimate users request the page, the XSS exploit will run in each of their browsers. It may be placed in a database that is used to populate a webpage or in a user forum that displays messages or any other mechanism that stores input. This occurs when a hacker is able to inject the malicious script into the application and have it be available to all visiting users. Stored XSS is harder to find in web applications, but it’s much more damaging because it persists across multiple requests and can exploit numerous users with one attack. The hacker may send out the same malicious URL to millions of potential victims, but only the ones that click his link are going to be affected and there’s no connection between compromised users. It is generally a 1:1 hacker to victim ratio. Think of reflected XSS as “whoever clicks it, gets it.” Whatever user clicks the link that contains the malicious script will be the only person directly affected by this attack. The reason that reflected XSS is considered less harmful isn’t because of what it can do, but because it’s a one-time attack where the payload sent in a reflected XSS attack is only valid on that one request. Reflected XSS is much more widespread in web applications and is considered to be less harmful. XSS comes in two primary “flavors”: reflected and stored. Because this script is part of the response from the application, the victim’s browser trusts it and allows the script to run.
XSS allows attackers to execute scripts in the victim’s browser, which can hijack user sessions, act as a key logger, redirect the user to malicious sites, or anything else a hacker can dream up! A hacker can inject malicious script (often times JavaScript, but it also could be VBScript) that is then rendered in the browser of the victim. Josh Pauli, in The Basics of Web Hacking, 2013 Cross-site Scripting (XSS)Ĭross-Site Scripting (XSS) occurs when user input is accepted by the application as part of a request and then is used in the output of the response without proper output encoding in place for validation and sanitization.