what is cross site scripting (XSS) attack and how do we protect ourselves from the attack?
Cross site scripting (XSS) exploits the dynamic and remote accessibility nature of web applications and sites. It occurs when web applications allow an attacker to perform injection of HTML code into a web page. Because, dynamic web applications are designed to accept and execute remote code such as JavaScript, Activex and Java Applets. Furthermore, web application or website vulnerable to XXS cyberattack may load untrusted or unsanitized data from a remote entity and execute any source code it contains. This will allow a remote attacker to stage unwanted actions right in the entity’s browser like redirecting it to malicious sites. Moreover, this will enable the attacker to read sensitive data and hijack an entity’s session with a secure website.
XXS attacks is a web security vulnerability that allows an attacker to compromise interactions that users make with vulnerable web application and mostly occur when the application allows a reflected input. There are two types of cross site scripting (XSS), namely:
- Reflected XXS: it occurs when a web application receives data in an HTTP request and contains that data within the immediate response in an unsafe manner.
- Persistent or Stored XXS: occurs when a web application receives data from untrusted source and contains that data within its later HTTP responses in an unsafe manner.
Attackers exploit web application vulnerabilities and be able to launch XXS attack to perform the following malicious activities:
- Read any data that the user is able to access
- Perform actions that the use is able to perform
- Capture the user’s login credentials such as password
- Perform website defacement
- Impersonate as the victim user
- Inject Trojan horse functionality into the web application
Organizations and individuals can perform the following activities to protect themselves from XXS attacks:
- Input validation
- Encode data output
- Use proper response headers
- Establish content security policy
- Update software systems
- Web application firewalls (WAF)