About cross-site scripting (XSS) attacks
Cross-site scripting is a client-side application security vulnerability that allows the adversary to manipulate user interactions with the webserver/application. In violation of the same-origin policy, attackers exploit insecure input interfaces and client-side scripting to execute malicious code. While doing so, the victim is tricked into visiting the page with a malicious script so that the executable code is delivered to the affected browser. In such attacks, hackers also masquerade as compromised users to access user data and carry out actions with their permission. In instances where the victim is a privileged-access user, attackers can fully compromise the application data and functionality. Any application not validating the user input when generating script outputs is vulnerable to XSS attacks.
XSS attacks are generally categorized as:
- Reflected
- Stored/persistent
- DOM-based