Cross-Site Scripting is a type of security vulnerability that normally occurred in web applications and is often abbreviated as XSS. In case you’re wondering, we don’t use the abbreviation CSS because we already use that for Cascading Styles Sheets when we’re designing our web pages.
XSS was originally called cross-site because of web browser security flaws. Using XSS, you can transfer information/data from one site to another if you had both sites’ windows open in your browser.
In this article, I will walk you through the details about the XSS and how you can prevent PHP XSS attacks on your web app.
Nowadays, given the rampantness of past XSS vulnerabilities, browsers take security into account and don’t generally allow information to jump from one browser screen to another. It is also important to have complete awareness and knowledge about XSS attack examples in your PHP applications to be able to set up prevention measures in time.
Practices to Prevent XSS in PHP Web Apps
Types of XSS Vulnerabilities
There are 3 main types of XSS attacks.
- Stored XSS
- Reflected XSS
- Dom Based XSS (Document Object Model)
Stored Cross-Site Scripting [XSS] is a very dangerous form of Cross-Site Scripting. Web applications that allow users to store data in the database are potentially exposed to this type of attack.
Stored XSS happens when an XSS attacker injects malicious code into a website with the code being saved to a database. Later on, when a web user accesses the page, he may unknowingly retrieve that file and thus the script will run in the user’s browser.
Whenever a client sends an HTTP request to the server and the server sends an HTTP to respond with malicious code because malicious code saves in the database, it will harm the client. The severity of this kind of attack is very high.
Take an example of any search engine (Google, Bing). You’re able to input a query and search for any information, but what would happen if you can add scripts in the input field, and the script would perform any function? Maybe it took the user’s credentials, it took cookies information. If you have similar cookies as for any other user, you can access all their data in your browser because you ran a search into a malicious search box.
DOM Based XSS
DOM stands for Document Object Model. In this
This article was written by Shahzeb Ahmed and originally published on The Official Cloudways Blog.