Cross-Site Scripting (XSS) attacks are stated as one of the most rampant occurring yet easily fixable injection attack faced by e-commerce businesses and a variety of other web applications.
An XSS attack is of 3 types:
- DOM Based Attack: Caused by malicious injection of code from client side. The injected code can be Javascript, Flash, Visual Basic etc.
- Persistent XSS Attack: Caused when payload is stored on server side and gets retrieved when there is a user request to a page
- Non-Persistent XSS Attack: Caused when payload is reflected back to the user by opening a link to a vulnerable website with a crafted input.
Precautions to Mitigate XSS Attacks
- Input ValidationTo prevent XSS, white-list most input to alphanumeric or in some cases, special characters. This will reduce surface attack and minimize the potential for bugs.
- Use of secure DOM elementsOften, unsafe handling of DOM elements (document object model) lead to XSS attacks in even rich client UIs. For example: using the innerHTML attribute renders the user input as XSS with Javascript events. In this case, the safe alternative would be to use contentText or innerText.
More detailed steps can be found here.