Let’s start with understanding what is XSS attack? An XSS attack is a condition of computer vulnerability where the attacker uses a weak website or unsafe user input fields to transfer malicious code over to the user and initiating a series of codes that will enable the attacker to hijack your session leading to unwanted page redirections, ads, etc. it can also cause the leakage of usernames and passwords. It is one of the most common types of computer vulnerability and is responsible for massive data thefts all over the world daily. Now, here are some types of XSS attacks.

Stored XSS attack

These attacks happen when the XSS is permanently stored on servers. The attacks are generally triggered from comment boxes when the server asks for information from the victim, their computer gets infected and the program initiates its procedure of data theft and session hijack.

Reflected XSS attack

In this attack, the malicious script isn’t stored on the server but sent to the victim via email where they might be tricked into choosing the infected link which will trigger the injection of malicious scripts into the victim’s system and start initiating the whole attack.

Attacks based on DOM

Although, it is quite rare in occurrence DOM or document object model is equally considered as dangerous as its other counterparts. It can be called an application programming interface. This is used for valid XML and HTML documents. It occurs when a DOM environment gets modified in any way in the browser of the victim, this causes the code on the side of the client to run in an unexpected manner.

How to prevent these attacks?

These attacks are dangerous but they can be avoided easily by Sanitizing, Escaping, and Validating.

Sanitizing the input areas is a good way to prevent these attacks. A special character that is used in HTML shouldn’t be allowed in the input area.

Escaping basically makes sure that the data the user has provided as input is not to be considered as an HTML or even JavaScript.

Validation is basically treating every input as not trustable until it complies with a certain set of guidelines.

Leave a Reply