XSS: The most commonly exploited vulnerability
Cross-site scripting (XSS) is one of the most common and well-known vulnerabilities contained within web applications. It consistently appears in the OWASP list of the Top Web Application Security Risks and was used in 40% of online cyberattacks against large enterprises in Europe and North America in 2019. According to HackerOne, XSS vulnerabilities are the most common vulnerability type discovered in bug bounty programs, despite the fact that most companies undervalue it because it rarely leads to large-scale data breaches.
The root cause of XSS vulnerabilities is when a web application uses untrusted input without performing proper validation first. If a web server embeds user input in a page’s HTML code before sending it to the client, then malicious input could enable the execution of attacker-controlled code within the user’s browser.
This becomes a serious security problem due to the same-origin policy used to control access to data within web pages. Anything coming from the same place has access to the same set of data. This means that an attacker’s script embedded within a legitimate page processing sensitive information (credit card numbers, etc.) will have access to that information as well and is able to send a copy to the script’s operator.
Types of XSS exploits
XSS attacks all take advantage of insecure use of untrusted user (Read more...)
*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Howard Poston. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/TamAT4B3phk/