What is XSS - Cross Site Scripting?

XSS is a computer security vulnerability normally found in web applications that allows attackers to inject client-side scripts into benign and trusted websites.

A cross-site scripting vulnerability could be used by an attacker to bypass access controls such as the same-origin policy. Instead of directly targeting the application, it puts users at risk since user accounts can be compromised, Trojan horse programs activated, and page content modified, misleading users into willingly surrendering private data. Session cookies can also be exposed, letting perpetrators impersonate valid users and abuse their private accounts.

There are two types of XSS. The first is stored/persistent XSS, the more damaging type, which occurs when a malicious script is injected directly into a vulnerable web application. The second is reflected XSS which involves the reflecting of malicious script off of a web application, onto a user’s browser. In this attack, the script is embedded into a link, and is only activated once that link is clicked on.

Websites that allow users to share content, including blogs, social networks, video sharing platforms and message boards are frequent targets for XSS attacks. Every time the infected page is viewed, the malicious script is transmitted to the victim’s browser.