Nowadays, with the network expanding quickly, especially Web 2.0 increasing, internet is not anonymous to us anymore. It is a good platform for users to communicate, chat, do business or play game together. For instance, we usually go to Google to search information, Amazon or E-Bay to buy books and many other goods and we also go to My-Space to communicate with friends. Therefore, there is no doubt that Internet is gradually becoming an integral part our daily life. So providing a beneficial and safe networking environment is significantly necessary. If there is vulnerability in a famous website, a lot of visitors will be attacked customers and the result cannot be imagined. XSS is the most common security vulnerability in software today. This should not be the case as XSS is easy to find and easy to fix. XSS vulnerabilities can have consequences such as tampering and sensitive data theft.
With the Internet expanding quickly, there are more and more vulnerabilities which threaten billions of customers. Therefore, we must prevent these vulnerabilities from happening in order to provide a safer environment for surfing the Internet.
Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can execute malicious scripts (also commonly referred to as a malicious payload) into a legitimate website or web application. XSS is amongst the most rampant of web application vulnerabilities and occurs when a web application makes use of un-validated or un-encoded user input within the output it generates. Cross-Site Scripting (also known as XSS) is one of the most common application-layer web attacks.
Figure 1: Example of XSS
To successfully execute a stored XSS attack, a perpetrator has to locate a vulnerability in a web application and then inject malicious script into its server (e.g., via a comment field). One of the most frequent targets are websites that allow users to share content, including blogs, social networks, video sharing platforms and message boards. Every time the infected page is viewed, the malicious script is transmitted to the victim’s browser.
Key Concept of Cross Site Scripting
- XSS is a web-based attack performed on vulnerable web applications.
- In XSS attacks, the victim is the user and not the application.
Types of XSS
- Persistent XSS, where the malicious string originates from the website’s database.
- Reflected XSS, where the malicious string originates from the victim’s request.
- DOM-based XSS, where the vulnerability is in the client-side code rather than the server-side code.
Impact of Cross-Site Scripting
When attackers succeed in exploiting XSS vulnerabilities, they can gain access to account credentials. They can also spread web worms or access the user’s computer and view the user’s browser history or control the browser remotely. After gaining control to the victim’s system, attackers can also analyze and use other intranet applications.
By exploiting XSS vulnerabilities, an attacker can perform malicious actions, such as:
- Hijack an account.
- Spread web worms.
- Access browser history and clipboard contents.
- Control the browser remotely.
- Scan and exploit intranet appliances and applications.
 Rodolfo Assis, “What is an XSS Vulnerability?” available online at: https://blog.sucuri.net/2016/04/what-is-an-xss-vulnerability.html
 “Cross-Site Scripting (XSS) Tutorial: Learn about XSS Vulnerabilities, Injections and How to Prevent Attacks”, available online at: https://www.veracode.com/security/xss
 “Cross Site Scripting (XSS) Attacks”, available online at: https://www.incapsula.com/web-application-security/cross-site-scripting-xss-attacks.html