The basics of Cross-site Scripting (XSS)

A lot can go wrong on the Internet and XSS is without a doubt one of the most common web security issues we see today. Without going too in-depth, there are three kinds of XSS based on vulnerability impact, starting with the worst kind:

1. The persistent XSS – This is when an attacker could inject script code onto your site permanently and every user who views the page where the script is injected will execute it. An example of this kind of XSS is the Samy worm that exploited MySpace with a persistent XSS.
2. The reflected XSS – This is when an attacker could forge a link to inject script code that will execute from your website. This is also the most common type of XSS and is often used by spammers or others with malicious intent. With this an attacker could change the HTML to look like the login page of the vulnerable site, fooling the user to give them their credentials (also known as Phishing).
3. The Self-XSS – This kind of XSS needs user interaction, which means that the attacker must trick the user to execute the script himself. For example, the attacker could make a link displaying “close page”, and when the user clicks it the script will run. This kind of XSS is very similar to the reflected XSS, but the need of user interaction makes it harder for the attacker to get the user to run his script.

What can we do to protect ourselves against attacks like this?

Some of the popular browsers actually have built-in protection against reflected XSS and to some extent, Self-XSS. Other browsers have plugins to help with XSS issues, like NoScript.