Skip to main content

XSS

XSS (Cross-site scripting) is a type of computer vulnerability or security hole typical of web applications, which allows third parties to inject JavaScript code or code in another similar language (e. g. VBScript) into web pages visited by a user, bypassing control measures such as the Same Origin Policy.

It is possible to find a Cross-Site Scripting vulnerability in applications that, among their functions, include presenting information in a web browser or other web page container. However, it is not limited to websites available on the Internet, as it can also affect local applications vulnerable to XSS, or even the browser itself.

XSS is an attack vector that can be used to steal sensitive information, hijack user sessions and compromise the browser, affecting the integrity of the system. XSS vulnerabilities have existed since the early days of the Web.

This situation is usually caused by incorrect validation of the input data used in certain applications, or by not properly cleaning the output for presentation on the web page. This vulnerability can manifest itself in the following ways:

  • Reflected: This type of XSS occurs when modifying values that the web application uses to pass variables between two pages, without using sessions. It usually happens when a message or path is included in the browser URL.
  • Storage: This type of XSS is commonly caused by poor filtering, and consists of inserting dangerous HTML code into sites that allow it, including tags such as <script> or <iframe>.
  • DOM Based XSS: is a special case where JavaScript code is hidden in the URL and extracted by JavaScript on the page while it is being processed, rather than being inserted into the page when it is published. This can make it stealthier than other types of attacks and may not be detected by WAF or other protections that only analyze the body of the page.