A code injection attack facilitating an attacker to execute malicious JavaScript in another user’s browser is called as Cross-site scripting (XSS).
A vulnerability is exploited in the website visited by a victim, such that the website to deliver the malicious JavaScript, which appears as a legitimate part of the website by the victim, and the website is used to act as an unintentional accomplice to the attacker. The attacks are done by using HTML, JavaScript, VBScript, ActiveX, Flash, but the most used XSS is malicious JavaScript.
Also by hijacking the accounts, changing user settings, and poisoning the cookie, false advertising and by creating Dos attacks, the attacker can gather data.
Metasploitable :
For instance, a vulnerable website which is got by metasploitable machine is taken. The field highlighted in red arrow for XSS is tested.
Initially a simple alert script is created
<script> alert(‘I am Vulnerable’); </script>
XSS attacks are divided into three types :
Persistent XSS - where the malicious string originates from the website's database.
Reflected XSS - where the malicious string originates from the victim's request.
DOM-based XSS - where the vulnerability is in the client-side code rather than the server-side code.
Usually cross-site scripting is identified by the vulnerability scanners enabling them to avoid
<xmp>
<script>
alert('XSS')
</script>
</xmp>doing all the manual job by putting JavaScript on the like.
The best vulnerability scanners are Burp Suite and acunetix.
Some of the tips to prevent XSS attacks are −
