What is it:
- Cross-sight scripting is a potential threat to most Web servers and browsers.
- It is not a product-specific attack.
- Servers that generates dynamic HTML pages from the browser input data can be manipulated into running malicious code by attackers.
- Servers that use static pages are immune to this type of attack because they have full control over how their Web pages will be interpreted.
- Attackers do not modify the content of the Website, they insert new script that can be executed by a browser and then it is possible for the malicious code to run without the server/end user realizing that something different has happened with it.
Cross-site scripting(XSS):
- XSS Exploits the trust a user should have for a website.
- It allows attackers to run a client-side script into Website pages viewed by users.
- When a user clicks the link, embedded programming is submitted as part of the client’s Web request and can execute on the user’s computer, typically allowing the attacker to steal information.
- Injects malicious scripts in web pages which then would be served to other users over a period of time.
- The malicious scripts gain access to page content and start misusing it.
- For example someone enters a malicious JavaScript code like “<script>alert(‘Yours have lost your data.’);</script>” in input box of a webpage and when other users access that page then malicious JavaScript also get execute for them and that can be devastating so it exploited the trust a user has for a particular site.
Cross-Site Request Forgery(CSRF):
- It Exploits a trust that a website should have in a user’s browser.
- With a single request, a website can get into doing something but most often that Website won’t allow your request to get through due to no credentials access.
- So a hacker can send you a mail that you won a prize and claim it click on the link in the mail. once you click and you are having persistent authentication cookie from the site if any which hacker wants to manipulate then the hacker would hook on it, use credentials and send an HTTP request to that site. Because the way browsers work is whenever you send a request for a specific domain, the cookies associated with that domain are also sent across.
How to Prevent these:
- Before inserting user data into HTML element content escape the HTML content.
- Before inserting user data into HTML escape the attributes.
- Before inserting user data escape JavaScript codes.
- Before inserting user data into HTML style property values escape and validate the CSS.
- Before inserting user data into HTML URL parameter escape URLs.
- Prevent DOM-based XSS.