Cross-site Scripting is a code injection attack done to the client-side in which hackers execute malicious scripts (commonly known as malicious payload). XSS is one of the most common web app vulnerabilities and occurs when an unvalidated user input is used within the output it generates.

An XSS attacker does not target a specific user. Instead, an attacker would exploit a vulnerability within a legitimate website or web app. Said app would then act as a vehicle to deliver malicious payload into users’ browsers.

There are many types of XSS vulnerability, including VBScript and Flash, but the most exploited is JavaScript, simply because JavaScript is a basic element to many website-viewing activities. We also exploited this weakness in the first stage of our Final Project. The process we took was very simple: just write a script tag in the comments section. So that’s what we did and we wrote <script>alert(“do you like what you see”);</script>. If successful, your browser will run the script and display the following output:

The script we used was very benign, as it just prompts the browser to display an alert. But since script usage is very wide, it can be used to deliver even more dangerous attacks.

Source: acunetix.com

Written by Adrian Alexander and Charottama Oshmar