What is XSS?

XSS, or Cross-Site Scripting is a vulnerability that allows attackers to inject malicous scripts into web pages that are viewed by other users. These attacks occur when an attacker sends malicous code in the form of a browser script to another user, through a web application. The flaws that enable these atttacks are generally widespread and can occur anywhere a users input is used to generate output which is not properly validated or encoded [1].

There are three main types of XSS attacks, click on one to learn more:

• Reflected
• Stored
• DOM-based

What are the impacts?

An attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page [2].