Cross-Site Scripting (EN)

Concept

Security vulnerability that enables embedding malicious script code into webpages

Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS) is a security vulnerability that allows attackers to inject malicious script code into trusted webpages, which then execute in the victim's browser. These attacks can lead to session hijacking, cookie theft, or phishing attacks. XSS attacks are typically enabled by insufficient validation and sanitization of user inputs, which are then output in dynamically generated webpages without adequate encoding. The most effective prevention includes validating and sanitizing all user inputs server-side and implementing CSP headers (Content Security Policy) to prevent the execution of unauthorized scripts.

XSS Attack Vectors

flowchart TD     A[Attacker] -->|Embed malicious code| B[Webpage]     B -->|Unfiltered output| C[Victim browser]     C -->|Script execution| D[Malicious effect]     D --> E[Session hijacking]     D --> F[Cookie theft]     D --> G[Phishing]

Prevention

Server-side input validation
Output encoding (HTML, JavaScript, URL)
Implement Content Security Policy (CSP)
Set HttpOnly flag for cookies
Use frameworks with XSS protection

Quelle: AI Generated