Quality is delighting customers
Cross Site Scripting also is known as XSS. It is most popular and vulnerable attacks for web & mobile applications. While performing the web or mobile app security testing we need to make sure that our application is not vulnerable to XSS attacks.
A cross-site scripting attack is an injection of malicious code that runs in the victim's browser. The malicious script can be stored in the web server and executed each time the user invokes the request for functionality. It can also be done using the other methods, without having a script stored on the web server.
The purpose of this XSS attack is to steal the identity data of the other user using the cookies, session tokens and other sensitive information. This is the reason the xss attack is considered one of the riskiest. In most of the cases, the attack purpose is to steal the other person's cookies.
There are basically three types of XSS attacks:
1. Stored XSS attack
2. Reflected XSS
3. DOM-Based XSS attack
Stored and reflected XSS is the most popular which affects most the applications.
Stored attacks are those in which the injected script is permanently stored in the destination servers, for example. In a website database, a community forum, input fields, etc. Stored XSS is also known as persistent XSS or Type I XSS. The target's victim receives the server's malicious code infected script when it requests stored memory.
Reflected XSS is sometimes referred to as non-persistent XSS or Type II. these attacks are carried out when a web server reflects the script that was injected with malicious code, For e.g like an error message, the search result or any other response that sends input to the server as part of the request. Reflected attacks are transmitted to victims in many ways, like a link in an email message.
If a user is tempted to click on a malicious link, send a specially crafted form or simply navigate to a malicious website, the inserted code will be redirected to the vulnerable website, which will reflect the user's browser attack. The browser executes the code because it comes from a "trusted" server.