It’s all about cross-site scripting
We have a separate article about the different types of cross-site scripting, but to recap, there are the 3 main types:
- Reflected XSS: Malicious script code entered by the attacker (for instance, as a search query) is accepted by the server. The code is then inserted into the HTML on the relevant page and served back to the browser, where it is executed.
- Stored XSS: The server accepts user input that includes malicious code and stores it. For example, the attacker could put code in a user profile description that gets stored in a forum database. When another user later loads that profile page, the malicious script is executed.
- DOM-based XSS: Attacker-controlled inputs processed entirely in the user’s browser are used to modify the current page and insert malicious code using Document Object Model (DOM) manipulation. Because everything happens on the client side, there is no malicious code in either the original HTML page or the server response.
Detecting cross-site scripting vulnerabilities
Invicti comes with a wide array of security checks to reliably find many types of cross-site scripting vulnerabilities, including DOM-based attacks. It also has a Technologies feature to identify components with known vulnerabilities. The Invicti scanner incorporates over a decade of continuous research and development by top security professionals and is regularly updated to include the latest attack techniques.
The risk of XSS exists whenever your application handles user input. As with so many vulnerabilities, proper input validation with context-sensitive data encoding is always the best starting point for limiting an attacker’s options. Note that input filtering alone is not enough to prevent XSS and should only be used as part of a defense-in-depth.