XSS (Cross Site Scripting) - Salem73616C656D/reading-notes GitHub Wiki
Key Takeaways
Types of XSS attacks
- reflected XSS: script comes from current HTTP request
- stored XSS: script comes from website database
- DOM-based XSS: vulnerability is client-side code, not server-side code
What XSS is used for:
- impersonating victim user
- carrying out actions permitted under the victims privileges
- reading user-accessible data
- capturing user's login credentials
- performing virtual defacement of web site
- infecting trojan functionality into the web site
How To Prevent XSS Attacks:
- filter input on arrival
- encode data on input
- use appropriate response headers
- content security policy
Vocabulary
XSS:
- web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable applicatio