There are different types of cross-site scripting attacks, which are introduced in the following sections.
Stored Cross-Site Scripting (Persistent)
A stored cross-site scripting vulnerability allows an attacker to inject a malicious script persistently in a web application. For example the script might have been submitted via an input field to the web server, which did not perform a sufficient validation and stores the script persistently in the database. The consequence of this might be, that this script is now being delivered to all users visiting the web application and e.g. able to gain access to the session cookies of the user.
Reflected Cross-Site Scripting (Non-Persistent)
A reflected cross-site scripting vulnerability appears if unvalidated input is directly displayed to the user. For example the input of a search form is reflected on the page to show what the search key was. An attacker may craft an URL that contains malicious code and spread the URL via e-mail or social media. A user who clicks on this link opens the (valid) web application, which then runs the malicious code in the user's browser.
DOM-Based Cross-Site Scripting
To prevent XSS attacks treat all user input as potentially malicious and follow some programming guidelines:
Avoid Untrusted Input
Filter User Input
In cases where any untrusted input is shown as normal text inside a HTML tag, filter out the characters which allow an attacker to insert a <script> tag in the page. Use the following functions for that:
In cases where user input needs to be inserted into tag attributes or inside a script, you will need to use stronger escape mechanisms. Refer to the XSS Prevention Cheat Sheet for more information. This is the case if you plan to allow user input in cases such as:
You are facing an issue that is not covered in our guides, we are happy to include solutions here. Please send us an e-mail to firstname.lastname@example.org.
Crashtest Security is a Munich, Germany based start-up that redefines web application vulnerability scans. The Crashtest Security Suite is differentiating itself as a fully automated vulnerability scanner enhanced with artificial intelligence developed for the needs of the agile developer or SecDevOps. Clear vulnerability insights are provided as well as contextual actionable insights for risk mitigation.