It is also called as XSS or CSS. In a typical XSS attack the hacker infects a legitimate web page with his malicious client-side script. When a user visits this web page the script is downloaded to his browser and executed.
Working
Web sites and web applications being dynamic, aggregate data from many different sources into the web page given to the user. This aggregated web page have simple text, or images, HTML tags and <script> for scripts. Usually the hacker utilizes the ‘comments’ feature of a web page to insert a comment which contains a script. Every user who views that comment will download the script which will execute on their browser, causing undesirable behavior. Something a Facebook post on a user’s wall having such malicious script, if not filtered by the Facebook servers will be injected into all other linked user’s Wall and execute on their browser if they visits that Facebook profile.
Prevention
Various measures to be used to prevent cross-site scripting attack includes
- Filtering all user-given input for XSS – All XSS attacks infect your web site via some form of User input usually the <FORM> submitted by users.
- Sanitize HTML Markup with a Library like OWASP AntiSamy
- Use HTTPOnly cookie flag – It mitigates the impact of an XSS flaw on web site
- Implement Content Security Policy – It’s a browser side mechanism which allows creating source whitelists for client side resources of web site.
- Apply URL Escape, CSS Escape and JavaScript Escape before inserting untrusted data into HTML
