Cross-Site Scripting ( abbreviated as XSS) attack is the most common application level attack technique in which malicious scripts are injected into web pages. XSS attack can occur anywhere where a web application uses the input from a user without the output it generates without validating or encoding it. The code usually are written in Javascript but also may extend to ActiveX, VBScript, Java or any other browser supported technologies.
Unlike most attacks, which involve two parties – the attacker, and the web site (or victim client), the XSS attack involves three parties – the attacker, a client and the web site/application. The goal of the XSS attack is to steal the client cookies, or any other sensitive information, which can identify the client with the web site/application. With the token of the legitimate user at hand, the attacker can proceed to act as the user in his/her interaction with the site – specifically, impersonate the user.
An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.
Cross Site Scripting is one of the most common and dangerous application level attacks that attackers use to sneak into web applications today. It is an attack on the privacy of clients of a particular web site which can lead to a total breach of security when customer details are stolen or manipulated without the knowledge of either the client or the organization being attacked.
References: