One of the most common classes of vulnerability in websites is called “Cross-Site Scripting” or “XSS”. XSS vulnerabilities are where it is possible for a user to cause JavaScript to be executed. There are a number of different variants of XSS vulnerability, with varying degrees of severity.
The problem with an attacker being able to execute JavaScript in the sessions of other users is that it is then possible for the attacker to do anything to the website that the victims see. This includes redirecting victims to external websites, stealing authentication tokens, and monitoring payment details.
The most severe form of XSS vulnerability is “Stored” or “Persistent” Cross-Site Scripting, this is where it is possible for an attacker to craft an XSS payload and then submit it, so it is saved in the database. With an XSS exploit saved in the database it’s then possible for it to affect other users over a broad time period.
Another form of Cross-Site Scripting is “Reflected”, this type isn’t saved at any point, instead, the payload is included in the browser. Typically, this type of XSS is part of phishing attacks, where an attacker attempts to trick a victim to click a malicious link.
Generally, most XSS attacks have the payload sent to the server at some point, but some attacks are purely client-side, never being sent to the server and instead only affecting client-side JavaScript. This is called DOM-based XSS as it stays in the JavaScript Document Object Model, or DOM. This type of vulnerability is particularly hard to identify and resolve because the exploits are never seen by the server and so can’t be logged.
Historically the prevention technique against XSS vulnerabilities is to filter all user-submitted data, using block-lists to reject any messages with meaningful characters or words in JavaScript. This tended to lead to an arms race of finding bypasses for the filter while also preventing some legitimate user-submissions. The correct solution is to use HTML entities to encode user-submitted data. with HTML entities modules enabled, characters are automatically encoded into a format where the browser knows to display them as the correct symbols but not to treat them as code.
