some type of injection can be in script html code etc. Some insert backdoor, script trap or diversion all of them is made for some purpose. Hardening website become important
xss or Cross Site Scripting is some injected code done by attackers by entering HTML code or other client script code into a site. This attack will seem to come from the site. As a result of this attack, among others, an attacker can bypass security on the client side, get sensitive information, or store malicious applications.
The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page
from positive technologies report many website has vulnerabilities that will affected to be a victim in sql injection, xss, cookies hijacking
The short reason for using XSS is not CSS because CSS is for cascade style sheets.
there are two type in XSS and one of them have special characteristic
Reflected or nonpersistent XSS
is the most common type of XSS and is the easiest to do by attackers. The attacker uses social engineering so that the link with this malicious code is clicked on by the user. In this way the attacker can get a user’s cookie which can be used later to hijack the user’s session.
Stored or persistent XSS
Stored XSS is less common and the impact of attacks is greater. An XSS stored attack can affect all users. Stored XSS occurs when a user is allowed to enter data to be displayed again. Examples are on message boards, guest books, etc. Attackers enter other HTML code or client script code on their posts.
This attack is more frightening. The defense mechanism is the same as reflected XSS: if a user is allowed to enter data, do validation before saving it on the application
The defense mechanism facing this attack is by validating input before displaying any data generated by the user. Do not trust any data sent by the user.
How to prevent XSS happen
add security header protection
if your webserver with apache you can add this simple code in apache setting or in htaccess
Header set X-XSS-Protection "1; mode=block"
or you can add in apache configuration
- Go to $Web_Server/conf directory
- Open httpd.conf using vi and add following Header directive
- after code added restart your apache
or you can add this code in header of your site
X-XSS-Protection: 1; mode=block
in nginx webserver setting insert this code inside http block
add_header X-XSS-Protection "1; mode=block";
that code will instructs browsers to a activated browser side Cross-Site-Scripting filter.