Cross-site scripting (XSS) attack

7. Cross-site scripting (XSS) attack

XSS attacks utilize third-party web resources to run scripts in the casualty's web browser or scriptable application. In particular, the attacker injects a payload with malignant JavaScript into a site's information base.

At the point when the casualty demands a page from the site, the site sends the page, with the attacker's payload as a feature of the HTML body, to the victim's program, which executes the malicious content.

For instance, it may send the victim's cookie to the attacker’s server, and the attacker can extract it and use it for session hijacking. The most dangerous outcomes happen when XSS is utilized to abuse extra weaknesses. These weaknesses can empower an attacker to take treats, yet additionally, log keystrokes, catch screen captures, find and gather network data, and remote access and control the victim's machine.

While XSS can be exploited inside VBScript, ActiveX, and Flash, the most broadly mishandled is JavaScript — basically in light of the fact that JavaScript is supported widely on the web.

To protect against XSS attacks, developers can clean information contributed by clients in an HTTP demand prior to reflecting it back. Ensure all information is approved, separated, or gotten away prior to repeating anything back to the client, such as the values of query parameters during searches. Convert uncommon characters, for example, ?, and,/, <, > and spaces to their individual HTML or URL encoded counterparts. Give clients the choice to disable client-side scripts.