1. What is XSS?
- XSS (Cross-Site Scripting) is a type of security vulnerability which injects malicious script into webpages viewed by other users.
- Occurs when a web application does not properly validate user input.
2. Types of XSS vulnerabilities
1) Stored XSS
- The malicious script is permanently stored on the target server (e.g., in a database or comment field).
- When a user accesses the compromised page, the script executes in their browser.
2) Reflected XSS
- The malicious script is part of a URL or HTTP request sent to the server and immediately "reflected" back to the user.
- Victims typically need to click on a specially crafed link to trigger the attack.
3) DOM-based XSS
- The malicious script is executed directly in the browser, manipulating the DOM (Document Object model) without involving the server.
- DOM: represents the structure of a webpage as a tree, allowing scripts (e.g., JavaScript) to dynamically access and manipulate the content, structure, and style of the webpage. (e.g., document.location, domcument.referrer, or window.name)