Cross-Site Scripting is the injection of malicious scripts into a normally trusted web application. This is possible whenever user input (for example on a website) is not sufficiently validated either on the client- or the server-side. These scripts contain malware that enables the hacker to perform a variety of attacks.
Cross-Site Scripting attacks are very common in web applications and APIs.
The Crashtest Security Suite is a UX-optimized user interface to operate our powerful in-depth scanner engine. This allows the easy setup, operation, and remediation of vulnerability scanning. During our 14-day free trial, you can experience the rapid project setup (less than 2 minutes), the scan depth and speed, as well as the built-in wiki with advice for fixing cross-site scripting vulnerabilities.
We will scan for:
Through a stored XSS attack, the hacker can inject the malicious script persistently into a web application.
That script can be submitted via an input field on the web application and infect the web server which stores it in its database. This means that from then on, all other users retrieve this script whilst accessing information and therefore their session cookie might be accessible.
A reflected XSS vulnerability shows the malicious input directly to the user of the web application.
This might include that a search form reflects the unvalidated input and shows what the search key was. An attacker could use this to create a URL containing malicious script and spread it. Users opening the link are getting to a web application where the malicious script is run in the user’s web browser.
A DOM-Based Cross-Site Scripting attack can even be executed if the backend is totally secure. In order to do this, attackers use flaws in the JavaScript which is executed in the web browser.
DOM stands for Document Object Model and is an interface to web pages. It is essentially an API to the page, allowing programs to read and manipulate the page’s content, structure, and styles.