Preventing Cross-Site Scripting (XSS) Attacks
Learn how Cross-Site Scripting attacks work and how to prevent them.
StartKey Concepts
Review core concepts you need to learn to master this subject
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)
<script>alert(1);</script>
<img src="X" onerror=alert(1);>
<b onmouseover=alert(1)>click me!</b>
<body onload=alert('test1')>
Cross-Site Scripting (XSS) is a vulnerability that occurs when a web application returns unsanitized input to the front end of an application.
Three types of XSS attacks are:
- Stored XSS: when a server saves an attacker’s input into its datastores.
- Reflected XSS: when a user’s input is immediately returned back to the user.
- DOM-Based XSS: when user input is interpreted by the DOM, an attacker could inject arbitrary code.
The code shows examples of HTML tags that help attackers inject dangerous input.
Preventing Cross-Site Scripting (XSS) Attacks
Lesson 1 of 1
- 1A Cross-Site Scripting (XSS) attack is a type of attack where code is injected into a legitimate and trusted website. There are three main types of XSS Attacks: Stored XSS Attacks: In a Sto…
- 2In this exercise, we’ll take a closer look at DOM-Based XSS Attacks. A DOM-Based XSS attack occurs when an attack payload is executed by altering the DOM in the victim’s browser. The _DOM (Docu…
- 3Let’s now explore how Reflected XSS attacks work. In a Reflected XSS Attack, the payload is not stored in a database, it’s reflected onto the site. We saw that, in a DOM-Based attack, the vulne…
- 4In this exercise, we’ll take a look at how to perform a Stored XSS Attack. When a victim clicks a link, malicious code can send the victim’s cookie to another server or directly modify the affec…
- 5### Securing Cookies In the previous exercise, we saw how cookies can be used to steal user’s data. An express server that uses express-session to store cookies has the properties httpOnly and secu…
- 6In the Reflected and Stored XSS Attacks, we saw how an attacker can inject malicious code into the server and/or database using a form. This is why it’s important to validate and/or sanitize data b…
- 7We know that, in DOM-Based Attacks, the malicious code is client-side. To prevent this attack developers must be very careful with the type of code used in the browser. To be more specific, these …
What you'll create
Portfolio projects that showcase your new skills
How you'll master it
Stress-test your knowledge with quizzes that help commit syntax to memory