Cross site scripting

From Citizendium
Jump to navigation Jump to search
This article may be deleted soon.
To oppose or discuss a nomination, please go to CZ:Proposed for deletion and follow the instructions.

For the monthly nomination lists, see Category:Articles for deletion.


Cross site scripting (XSS) is a programming flaw that allows attackers to inject arbitrary script into a web site. There are two main types of cross site scripting - stored and reflected. DOM based cross site scripting is a third type of cross site scripting.

Stored Cross Site Scripting

Stored cross site scripting involves a persistent script that an attacker can inject into a web application that is served to other requesters of a web page. A typical example of a stored XSS occurs when a malicious script is stored in a database that is used to compose page content for site visitors. This results in every site visitor requesting pages composed of database data containing malicious script.

Reflected Cross Site Scripting

Reflected cross site scripting is a vulnerability that results when malicious scripts in request parameters are used to compose page responses in web applications. Reflected XSS does not persist, but is still useful for attackers who can obfuscate parameters and perform trust exploitation attacks.

Dangers

Cross site scripting flaws can be used to expose and steal cookies from victim's browsers. This could lead to credential exposure or account hijacking. Additionally, XSS flaws might allow an attacker to utilize same domain origin to carry out complex cross site request forgery (XSRF). This vector might even allow attackers to bypass XSRF protections.

References
Retrieved from "https://citizendium.org/wiki/index.php?title=Cross_site_scripting&oldid=952095"